Connect with us


The growing cybersecurity risks of wearable medical devices

By Richard Staynings, Chief Security Strategist, Cylera



Patient engagement in the management of their own health is lousy at best.

We as patients tend to see the doctor only when absolutely needed.

In public health systems like the UK NHS, it often takes so long to get an appointment that people put off a visit altogether.

Today the patient-doctor interaction is periodic and inconsistent, and this is the pattern that most people adopt with regard to the monitoring of their health.

Wearables and mHealth however, look set to change this by engaging patients in their own health and well-being.

Suddenly, healthcare has been democratised, and given our general reluctance or lack of access to medical care teams, this is surely a good thing.

The growth of medical wearables

The use of wearable medical devices has rocketed.

Latest reports show that the use of medical monitoring devices and wearable technology has tripled in the last four years.

In the US, 30 per cent of adults are now wearing some sort of wearable sensor to track their health and well-being for example, to monitor more high-level health conditions such as blood pressure, blood sugar levels, or ECG (heart rhythm and activity).

These IoT devices include hospital-prescribed equipment or the more familiar Fitbit or smartwatches which many people use to check more basic, general fitness and wellbeing signs.

Whatever the use, the wearable medical device market is expected to be worth $174 billion by 2030.

Then, last month the Australian Government launched the My Health Record (MHR) app for Australians to upload and share their personal medical sensor data for clinical teams to access as well as be able to view their health information via their smartwatch and mobile devices.

There are many obvious benefits to patients and hospital staff, with individuals being able to remotely monitor their health and well-being via hospital assigned medical equipment.

However, as with any remote device operating over WiFi or a public network, with this comes a greater risk of the device being hacked.

For healthcare settings the growth in IoT wearable devices being used in patients’ homes, which are communicating back to the hospital network, is increasing the complexity of hospitals’ connected environments, and expanding its attack surface, heightening the risk of a cyber-attack.

Growth in other medical devices

Medical wearables are not the only form of medical technology growing quickly in adoption and widescale use.

In 2021, traditional medical device sales grew by an impressive 18 per cent over the prior year as the industry recovered from COVID and set about achieving greater levels of automation via technology.

The range and variety of medical devices in use today is extensive.

Everything from simple patient telemetry systems that measure pulse, oxygenation, blood pressure and ECG, to large X-Ray, CT and PET scanners, to robotic surgical systems, to pharmacy and delivery robots that transport drugs and labs across hospitals, to radiotherapy and chemotherapy systems that treat patients or infusion pumps that administer medications

Today, 75 per cent of IP connected endpoints in hospitals are unmanaged by IT, and most of these endpoints comprise of legacy medical and other healthcare IoT devices.

Of concern, is that these systems are rarely if ever patched against known security vulnerabilities and could be used as an infiltration route or ‘foothold’ on hospital networks.

Connected medical devices also pose a growing and significant patient safety risk.

These devices are often connected to the patient on one side, and to the network on the other side, placing patients in extreme risk if medical devices are compromised by hackers.

A number of security researchers have highlighted these risks in not just networked connected medical devices but also implanted medical devices (IMDs) including pacemakers and insulin pumps.

Over a decade ago computer expert Barnaby Jack demonstrated the wireless hacking of insulin pumps, typically worn by a diabetic.

Using a transparent mannequin, he demonstrated at the RSA security conference that he could wirelessly hack an insulin pump from a distance of up to 90 metres using a high-gain antenna.

Richard Staynings

Furthermore, he caused the demonstration pump to repeatedly deliver its maximum dose of 25 units until its entire reservoir of 300 units was depleted, amounting to many times a lethal dose if delivered to a typical patient.

The following year, Jack demonstrated the ability to assassinate a victim by hacking their pacemaker, a scenario first explored in the TV Series Homeland.

Medical wearables are just the latest innovation in medical devices that we need to be concerned about.

However, unlike other devices this category combines consumer purchased sensor devices with hospital issued devices which currently have different reporting mechanisms for the data collected, though this will likely change as we have seen in Australia.

These systems capture, store, process, and transmit personal medical data, and if any of this data includes PII (or a HIPAA designator in the US) then it becomes subject to regulation including GDPR.

The problem is that medical devices and the entire ecosystems of connected healthcare IoT systems including a growing number of laboratory systems, surgical and pharmacy robots, and physical security and building management systems like CCTV cameras or  HVAC and lifts, all represent a cybersecurity risk to healthcare provider networks.

These simple devices were never designed to be secure against cyber-attack or to be directly connected to medical networks.

Unless managed they represent a clear and present danger to patient safety and a danger to the integrity and security of hospital networks.

They can relatively easily be compromised and used as a foothold on medical networks from which to launch more nefarious and perhaps devastating attacks including ransomware and other forms of cyber-extortion.

As we continue to expand our adoption and use of medical devices including wearables, it is vital that we design new devices to be cybersecure, and to be properly supported throughout a device’s expected lifespan.

This includes the timely release of security patches and software updates, and the testing and disclosure of any vulnerabilities.

However, we need to also address the security problems of legacy devices.

Systems that will continue to be used for the next 15 or 20 years in many cases, and for this we need hands-free automated tools.

These tools need to tell us what assets connect to our networks, what risks each presents and provide an automated path to risk remediation via compensating security controls if vendor patches are not available.

About the Author

Richard Staynings grew up in the UK and is now an internationally renowned expert in the field of healthcare cybersecurity.

He has presented at security conferences across the world and has served on various industry working groups and government Committees of Inquiry into some of the largest healthcare breaches.

He serves as Chief Security Strategist for Cylera, pioneers in IoT and IoMT (Medical IoT) cybersecurity with offices in Cheltenham, Madrid and New York, and teaches post graduate courses in cybersecurity and health informatics at University College Denver.

Follow Richard on Linkedin and Cylera.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending stories