Vulnerable smart medical devices are ‘risking patients’ lives’

Connecting unpatched devices to the internet is opening hospitals up to attack, claims nurse

Too many insecure medical devices are being unnecessarily connected to the internet, claims one nurse, who says that some WiFi-enabled tools are risking patients’ lives.

A recent slew of security vulnerabilities in medical Internet of Things (IoT) devices has seen the manipulation of heartbeat monitors, malware in pacemakers, and the breach of thousands of data files each year.

With medical centers across the globe running outdated systems, unpatched computers, and vulnerable tech, one paediatric nurse has a simple answer for the problem – stop connecting insecure computers with sensitive information stored to the web.

“It’s [the internet] easier, it’s faster, but I’m pretty sure that if medical professionals know how dangerous it is, they will choose safety,” Jelena Milosevich told The Daily Swig.

But disconnecting devices from the web is just a basic solution. In order to combat the ever-growing threat of cybercrime in the healthcare sector, we need to employ higher levels of security.

Milosevich, a pediatric intensive care nurse and InfoSec campaigner, spoke to The Daily Swig after giving a talk on medical security at BSides Manchester last week.

She told attendees that when it comes to medical devices, it is the vendor’s responsibility to ensure security is enabled by design – a doctor doesn’t check his factory-made utensils are sterile, she said, they just assume they are.

Insecure

Her comments come after an influx of medical devices were found to contain vulnerabilities – some of which could prove life-threatening.

Just this week, a cardiovascular imaging device manufactured by Philips was discovered to contain a high-severity code execution flaw requiring only ‘low-level’ skills to exploit.

Researchers recently found they were able to install malware on an already-implanted pacemaker device made by Medtronic.

And at Defcon earlier this month, McAfee researchers proved that vital signs monitors could be altered to simulate a flatline on a patient’s heartbeat.

This could put patients at risk of serious harm if the wrong treatment was administered as a result of falsified vitals.

“They’re able to be hacked from far, far away if they’re connected to the internet – it’s already been done,” said Milosevich.

Milosevich added: “Hospitals accept everything, we don’t require everything to be secure, we just accept it from vendors.

“We need to say if you don’t deliver on security we will buy it from someone else. We need to take a break, take a step back, and look at what we really need.

“It’s also important to look from the medical side, do we need our devices to be connected or not?

“There is a need for some devices to be connected but if we can’t ensure that it is 99% protected we shouldn’t connect. And when we do need it, the security should be at the highest level.”

During her extensive career as a nurse, Milosevich said poor security in the workplace hygiene was widespread.

Computers were left unattended and could be easily accessed by any visitor, and staff members were known to connect their social media and Spotify accounts to medical computers and devices.

Usernames and passwords were also noted down in the staff room, though Milosevich did say that this habit has decreased.

Health risk

A report by McAfee Threat Labs in March determined that cybercriminals are “disproportionately” hacking the healthcare sector, due to its reputation as a weak target.

And it’s not just attacks on IoT devices that are putting patients’ health at risk.

Milosevich told audiences at AppSec Europe last month how medical records were highly sought after thanks to the availability of data.

Leaked personal health records could also have a negative impact when it comes to applying for jobs, and can encourage scammers to use the data to claim health insurance payouts.

But it mustn’t get to the point where patients distrust hospitals so much that they’re not willing to disclose their symptoms, Milosevich said.

She added: “We take all of a patient’s information – name, address, date of birth, everything, and when these medical apps are used, when the details are downloaded, medical staff don’t know where it’s going – it could be anywhere, a lot of the time it’s on a public cloud.

“This does not just affect hospitals financially – the consequences are that patients will lose trust with the doctors.

“And if patients lose trust they will stop telling doctors what has happened, they will try to protect their data and not be honest with us.”

Milosevich concluded: “It doesn’t cost a lot of money to prevent against attacks.”

RELATED Data breaches continue to plague US healthcare sector in 2018