Like a slow-motion tsunami, the Internet of Things (IoT) is continuing to wash over an ever-greater portion of our lives, and now, our bodies. The use of smart, networked medical devices has been on the rise for years. These include both external devices, like ventilators, and internal devices, like pacemakers.
This trend is profoundly beneficial, as smarter medical devices provide an array of expanded capabilities that can improve quality of care for patients. As the devices used to monitor and diagnose patients gain the ability to communicate information more efficiently, they allow healthcare providers to more effectively meet patient needs, while also reducing costs. Given that the United States is currently facing a shortage of doctors and nurses – a shortage that is only expected to get worse – any technological solutions that can increase the ability of healthcare providers to help their patients is critically necessary
However, these improvements in patient care are not without risk. The increasing integration of networked technologies into the medical arena has opened up an array of threats that the healthcare industry is still working to fix. As pacemakers, drug pumps, and other devices become more connected, they become potential targets for cyber-attacks. This is not necessarily a new threat either – former Vice President Dick Cheney had the wireless functions on his pacemaker disabled explicitly to prevent it from being tampered with remotely.
Despite knowing that the threat exists, the efforts to close these vulnerabilities have been minimal. The Food and Drug Administration (FDA) has issued some guidance, but industry experts argue that it is insufficient. Mike Patterson, vice president of strategy for IT security firm Rook Security, told The Cipher Brief that, “with regulatory oversight relatively lacking, there is no major impetus for device manufacturers to strengthen device security.” Essentially, connectivity is increasing ahead of security, devices are being left vulnerable, and the situation is unlikely to improve until the government changes its regulations in this area. The lack of focus on security is particularly troubling given that healthcare providers are increasingly common targets for hackers.
Of special concern is the risk of smart medical devices being targeted by ransomware, a type of malware that locks up its target until a ransom is paid. In the medical field, the potential harm that ransomware could cause is significant – with everything from drug pumps to pacemakers being possible targets. While this scenario is troubling, so far hackers have only used ransomware to attack hospital administrative systems – not medical devices.
That being said, there is disagreement among experts as to how the threat from ransomware will change moving forward. According to Patterson, the picture is somewhat bleak. He feels that “the security of IoT devices will slowly improve as manufacturers get smarter about security, but hackers will almost always stay several steps ahead.” Kurt Hagerman, CISO for cybersecurity firm Armor, disagrees. According to him “the threat from ransomware will likely decrease as there are significantly increased efforts to combat it.”
While there is no consensus about how ransomware will continue to affect the healthcare industry, there is agreement that the current situation is untenable. Products are being designed and sent to market without enough time or attention being paid to security, and this is making everyone who depends upon these medical devices less safe.
However, change is unlikely to come from industry. The reason security is an afterthought is that security features add costs, and firms are primarily concerned with their bottom line.
Until the government steps in and updates its regulatory frameworks for these devices, the vulnerabilities will probably remain. And the government does not have a good track record of dealing with cybersecurity issues in a timely fashion. After all, it took the hacks of Sony, Target, Anthem, and the Office of Personnel Management just to get cybersecurity information sharing legislation through Congress. Hopefully, it won’t require a similar string of successful attacks before both government and industry improve their approach to securing smart medical devices.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
