Heal: Emerging technology making the world healthier

Protecting the Health and Safety of Connected Medical Devices

Connected medical devices can dramatically improve how healthcare is delivered and diseases are treated—once their own security ills are cured.

Today, thanks to technology, a brave new world of medicine is upon us.

The Internet of Things (IoT) is rapidly changing how and where medical care is provided. Moreover, the data that IoT devices collect promises to greatly increase our understanding of illness.

The number of wearable medical devices shipped each year is projected to grow from 2.5 million in 2016 to nearly 100 million by 2021. Many of these devices are available today, helping patients do everything from monitor their glucose levels to reduce their pain:

  • Diabetes patients can continuously track glucose levels and apply microdoses of insulin at home using Medtronic’s pager-sized MiniMed 530G system, and then upload that data to their doctors.
  • Nonin’s WristOx2 may look like a geeky wristwatch, but instead of measuring time it clocks heart rate and blood oxygen levels. The device allows doctors to monitor asthma patients at home to detect early signs of chronic obstructive pulmonary disease.
  • Chronic pain sufferers can strap on Quell, a stretchable band that wraps around the upper calf. It measures physical activity and delivers microcurrent to the wearer’s nervous system to reduce pain levels. The amount and duration of the charge can be controlled using a smartphone app.
  • The VitalPatch is a bandage-like sensor that adheres to the skin and measures heart and respiratory rate, skin temperature, and posture. It then feeds that information to physicians via the cloud. By applying predictive analytics to this continuous flow of data, doctors hope to detect early warning signs of congestive heart failure or sepsis.

In fact, while these IoT devices serve real physical needs, their true value may come from the data they collect. Just as tracking our cholesterol and glucose levels allows us to fend off heart disease and diabetes, device data may one day help us identify ailments before any symptoms appear.

Exploring what happens when possibility becomes reality.

For example, researchers at the University of Michigan are using data collected from wearable devices and mobile phones to study how mood, sleep, and circadian rhythms contribute to depression. In April 2016, Pfizer and IBM announced a project to apply machine learning to data collected from sensors and mobile devices to study the progression and treatment of Parkinson’s. And Johnson & Johnson, the world’s largest independent biotech company, has invested heavily in cloud-based analytics to drive the creation of new pharmaceuticals, treatments, and medical devices.

Creating smarter tools that allow physicians to deliver medical care more efficiently could shave billions of dollars annually from the cost of treatment. And by collecting data from millions of devices and running it through cloud-based machine-learning algorithms, we could enter a new phase of predictive medicine, where incipient diseases can be detected and treated well before they cause real damage.

Yet the same technology that could enhance and prolong our lives could also end them prematurely if it fell into the wrong hands. The biggest barriers to this brave new world of connected medicine are the devices themselves, which are rarely designed with security in mind.

From Hack Attacks to Heart Attacks

In the rush to connect medical devices, security has largely been an afterthought, says Aditya Gupta, CEO of IoT security firm Attify and author of The IoT Hackers Handbook.

“Most IoT devices are insecure, and sensitive medical devices are really insecure,” he says. “We have worked with a number of medical companies in the U.S. and India, and found all sorts of vulnerabilities.”

For example, using what’s known as a “radio relay attack,” a hacker could intercept and alter wireless signals being sent to a connected insulin pump, causing it to deliver a potentially lethal dose of the drug, Gupta says.

This is more than hypothetical. In August 2016, security researchers revealed that connected pacemakers and defibrillators built by St Jude Medical could be hacked. The vulnerability could potentially allow attackers to drain the device’s battery, alter heart rate settings, or trigger shocks that could cause cardiac arrest.

A few months later, Johnson & Johnson warned 114,000 customers that its Animus OneTouch Ping insulin pump had a security flaw that could enable an outside attacker to change the amount of insulin it delivered, putting patients at risk of hypoglycemia.

Fortunately, no known attacks on these devices were ever reported. St. Jude released a fix for the flaw in January 2017; the Ping’s vulnerability can be neutralized by turning off its internal radio.

The danger was also limited by proximity; hackers needed to be in the same room as these devices in order to attack them. However, Gupta warns that an attacker using a good directional antenna could target vulnerable devices from up to a half mile away.

Critical Conditions

But there’s good news: The problem of insecure medical devices is finally getting the attention it deserves. Even the U.S. Congress has taken note.

The Health Care Industry Cybersecurity Task Force, a public/private partnership established under the Cybersecurity Act of 2015, concluded in a June 2017 report that healthcare security is in “critical condition,” due in large part to legacy medical equipment with literally thousands of vulnerabilities.

The problem is that most of these devices were never intended to be connected and thus lack even the most basic protections, says Beau Woods, deputy director of the Cyber Safety Innovation Fellow at the Atlantic Council, an American think tank devoted to international security.

“But because of massive changes in the way we do healthcare and insurance, those devices were then retrofitted to be connected to everything else,” he says. “There are a lot of really good reasons why we want to connect these devices, but in our rush to do so, security issues got more or less ignored.”

Woods says connected medical devices are improving rapidly, thanks to the attention they’re receiving from security researchers, healthcare practitioners, lawmakers, and the FDA. But a lot of outdated equipment remains.

“The best medical devices from the best device makers are really good,” he says. “The worst medical device maker, maybe one that’s 30 years old and has gone out of business, is going to have really bad security.”

Looking for the Cure

And when hospitals and large healthcare organizations deploy vulnerable devices, they open their entire networks to attack. For the last two years, the healthcare industry has been especially plagued by ransomware. Attacks on businesses have tripled over the last year; nearly nine out of every ten ransomware infections in 2016 targeted a healthcare provider.

In February 2016, Hollywood Presbyterian Medical Center in Los Angeles was paralyzed for 10 days after a ransomware attack took down its entire network, including some medical devices. The hospital ultimately paid $17,000 to regain control of its network. In the meantime, emergency patients had to be diverted to other hospitals, and doctors were forced to chart treatments using paper and pen.

One way to mitigate the danger of vulnerable devices is network segmentation: isolating potentially hackable systems on their own virtual network, so even if a device is compromised, the attack doesn’t spread.

“I like to segment IoT devices into those that are capable of killing you and those that are not,” says Mark S. Kadrich, a consultant who’s been chief information security officer at several Southern California healthcare facilities. “That’s a lot more practical than trying to put a firewall in front of every single device.”

Before they do that, though, administrators need to have a clear idea of what devices are connected, where all that information is flowing, and what happens when that portion of the network is shut down. Many don’t, Kadrich says.

“If you’ve got a connected baby monitor, you want to know if it will continue to monitor infants when the network goes down,” Kadrich says. “Sometimes the only way to find out is to shut the network off.”

Security often comes down to basic asset management, says Mike Meikle, CEO of secureHIM, a healthcare cybersecurity and education firm.

“A lot of times the IT department doesn’t even know these devices exist because they’ve been set up by vendors in radiology or oncology or cardiology," he says. “They don’t have proper asset management in place to know what devices are on their network.”

Another big problem is a lack of tech expertise. Large hospitals have staff dedicated to ensuring data security; small healthcare organizations rarely can afford even a part-time IT person. When faced with the choice between hiring a medical specialist who can bring in more revenue or a geek who can fix their systems, small practices almost always choose the former.

Medical devices are constantly being added to a healthcare facility’s already large and diverse technology infrastructure. To help make sense of this complexity, tech companies are developing smart solutions that allow healthcare providers to manage, monitor, and secure their entire IoT infrastructure through a single console.

But every modern healthcare organization, large or small, needs to pay attention to security, says Meikle.

“It’s pretty simple,” he says. “Patch your stuff. Know what’s on your network and who has access to it. Know where your critical data is, and have someone in your organization who’s responsible for security, even if it’s only a quarterly review.”

One day, our lives may depend on it.

The Possibility Report is an ongoing series about how technology is changing our understanding of the world around us. This article is part of HEAL, our discussion about the ways technology can be used to heal human bodies, animal populations, and the entire planet.