As medical devices are directly connected to patients and have a direct impact on patient’s care, these devices must be protected from cyber threats. Unsecured medical devices with open vulnerabilities are prone to cyber threats and an easy target for hackers. With a large number of medical devices in use and FDA regulations to reduce cyber risk for pre-market and post-market devices, the need for medical device security has increased. According to the Global Market Insights report, the global healthcare cybersecurity market is expected to grow above US$ 27 billion by 2025 with a CAGR of 19.1% from US$ 8.2 billion in 2018.
Medical devices are broadly classified into home care and hospital care categories. Home care includes wearables, remote patient monitoring systems, portable health assessment devices, telehealth devices, and mobile applications. Hospital care includes static and implanted devices used in hospitals and laboratories such as infusion pumps, patient monitors, imaging systems, ventilators, and extracorporeal membrane oxygenation machines.
Cybersecurity- Home Care and Telemedicine Devices
With COVID-19 pandemic, we clearly see a growing demand for telehealth and other remote care technologies. Medical IoT (IoMT) devices can become a quick solution for the current situation, but that brings a lot of challenges, especially on the security front.
The increased number of IoMT devices for remote patient diagnosis significantly increases the potential vulnerabilities in the system. As telehealth devices and mobile applications are available at patient’s homes and connected to Wi-Fi or cellular networks for transmitting information to hospitals, they become more vulnerable to hacking.
1. Endpoint Security
As edge devices are not present in a secure network environment, it is easier for hackers to hijack the connected device such as health assessment device, portable ventilator or insulin pump, which send vital data to the hospital. Moreover, these devices are having default passwords and unavailability of firewall which make them most vulnerable. Hackers can get device access to implement malicious code and perform unauthorized modification of device software. Appropriate anti-malware mechanisms should be developed to ensure Device Integrity and protect it from spyware and trojan attacks. Further MedTech companies should ensure device setup with strict password policies. HIPAA compliance is also mandatory for endpoints used in accessing Patient Health Information (PHI).
2. Communication Security
Telehealth devices and mobile apps use video and audio communication over VoIP (Voice Over Internet Protocol) for patient-doctor interaction. Moreover, they also transfer patient vital data such as body temperature, pulse rate, respiration rate, blood pressure etc. from devices to hospitals via the internet. These communication intercepts are easy targets for hackers to compromise the PHI by modifying it.
Medical devices should have various Communication Security methods such as TLS and HTTPS protocol based encrypted (AES 128 bit or AES 256 bit) communication for secure vital data transfer. Video-audio communication should encrypt SIP and RTP packets with TLS and SRTP. Any firmware upgrade to a device should be performed from an authenticated source with bi-directional signature verification. Major automated cyber-attacks can be eliminated by identity confirmation based on multi-factor authentication such as unique code from smartphone, fingerprint authentication or security question.
Cybersecurity- Hospital Care Devices
Hospital care medical devices are different from standard PCs as they are designed to perform specific tasks. Infusion pumps produce higher security risk, as compromised pumps can deliver a different quantity than prescribed (lesser, higher, or stop the dose) and can lead to patient death or injury.
Why static and implanted medical devices are vulnerable?
- Legacy devices with outdated operating systems
- Never meant to exposed to the external network
- Not patchable as phased out from OEM
- Default passwords and non-availability of anti-virus and firewall
Let us look at a couple of vulnerabilities in software application and network environments which can cause serious implications on a patient’s health.
Ripple20 Vulnerabilities
In June 2020, the JSOF research lab has identified 19 zero-day vulnerabilities in the widely used TCP/IP software library stack developed by Treck Inc. resulting in millions of IoT devices affected. Some of these vulnerabilities have been labelled as critical because they allow unauthorized access of devices and perform remote code execution. Numerous medical devices can be compromised such as the infusion pump starts misbehaving leading to serious injury to patients.
Possible risk scenarios:
- An outside network attacker takes control of a device within the network
- An attacker uses the library vulnerabilities and targets specific devices within it
- An outside attacker bypass NAT configuration and performs an attack
Medical devices are required to update patches as these vulnerabilities are fixed in the latest version. If an update is not possible then perform different mitigation steps such as minimum device exposure to network, isolate device network from the business network and use secure remote access methods.
Ripple20 has affected a couple of medical device vendors such as Becton Dickinson, Baxter and Smiths Medical who have confirmed about vulnerabilities in their devices.
CT-GAN: Malicious Tampering of CT & MRI Scan 3D Imaging using DL Algorithm
In 2019, Israeli researchers had demonstrated that compromised hospital networks can give access to radiologist hosts to hackers. Further research shows that a hacker can insert or remove medical disorder from CT and MRI scans.
Researchers developed deep learning neural network based Generative Adversarial Network (GAN) algorithm. As the scans were not encrypted, they were able to manipulate 3D imagery by using GAN. They used two GANs in their CT-GAN software; one trained for injecting cancer and another trained for removing cancer. When asked, 99% of radiologists misdiagnosed these altered scans that inserted cancerous images and 94% of radiologists misdiagnosed that removed cancerous images. Researchers were also able to mislead AI based algorithms used by radiologists in diagnosis.
The mitigation includes the encryption between various nodes in a hospital’s radiology network. Another method is to use Digital Watermarking (DW) for image integrity. DW is a process of adding hidden signals which get corrupted in the tempered image and thus indicates the loss of integrity.
Conclusion
With a huge number of IoMT devices increasing in the healthcare ecosystem, the need for robust security measures is essential. Earlier efforts were on pre-market products to reduce vulnerability risk but with a large fleet of legacy medical devices, the need for post-market regulations has been implemented. We at eInfochips help our healthcare customers in risk management with our IoT Cybersecurity services. We help clients in the evaluation, remediation, and improvement of their medical device security with threat modeling, vulnerability management, and security design implementation. As a “partner of choice” for globally present clients in the healthcare domain and leveraging our in-depth domain and process expertise, we have developed HIPAA and ISO 13485 complied connected solutions for diagnostics, imaging, home care, remote monitoring, and telemedicine.
Connect with our experts to know more about IoT Cybersecurity service offerings for medical devices.