Smart medical devices are supposed to make it easier for medical professionals to monitor and adjust implanted and wearable devices for patients. However, hackers are getting in the way, as usual.
As incredible as many of these devices are, security isn’t always a top priority. After all, why would anyone want to hack a pacemaker? The truth is smart medical devices need smarter security. This is especially evident with the latest Bluetooth flaws, which is the technology many of these devices rely on.
Bluetooth Low Energy Flaws
Numerous devices, not just medical devices, rely on Bluetooth to communicate. Smart medical devices in particular often use Bluetooth Low Energy, or BLE.
Researchers from the Singapore University of Technology and Design began testing Bluetooth for dangerous flaws. Their findings are shocking. They found 12 different bugs that could put as many as 480 types of devices at risk. These include medical tools, implants, wearables, smart locks, and much more.
The researchers named the bugs SweynTooth. While the bugs aren’t necessarily with BLE, it’s the way BLE is used on the software development kits to run the flawed devices.
The only good news is hackers have to be within radio range to target any of these devices. Yet, if you’re relying on a smart pacemaker to keep you alive, you probably aren’t going to feel great knowing a hacker sitting next to you could target you.
Smart Medical Devices at Risk
According to CI Security, there are five main types of hacked medical devices. Attackers target medical devices to steal patient data, force healthcare facilities to pay ransoms, and hurt patients just to prove it’s possible.
CI Security lists:
- Infusion and insulin pumps – Hackers can disrupt how medicine is delivered and access patient details.
- Smart pens – While they’re not implanted, they are used to document patient details, which can be hacked.
- Implantable cardiac devices – Multiple software updates have been released to plug security holes. Hackers can even use DoS attacks to hurt or even kill patients.
- Vital monitors – These wireless and Bluetooth-enabled devices leave data exposed to hackers if it’s not properly encrypted.
- IoT temperature sensors – Not only can data be intercepted or hacked, temperatures might not read correctly when hacked, resulting in harm to the patient.
While hackers typically target patient data for identity theft, patients’ lives are at risk with every attack.
Even if a hospital’s network is compromised, hackers can gain control of connected devices. They could also read all data being transmitted back from patients. This further puts patients at risk.
As more smart medical devices are put into use, attacks on them will increase. Focusing on security now helps prevent devastating attacks later.
A Continuing Problem
Smart medical devices need better security. This isn’t a new problem, but it’s one that keeps getting pushed to the side. In the rush to get these devices and tools to patients and doctors, developers are missing obvious red flags and skipping critical security testing.
Yes, the devices are life-changing and life-saving, but they’re useless if people’s lives are being put at risk. The BLE flaws discovered back in September 2019 are just one more issue plaguing this industry.
The FDA states that there are “benefits and risks” to medical devices. However, since more of these devices are being connected to the Internet, an increasing cybersecurity risk needs to be addressed more effectively.
While the FDA lists medical device manufacturers and healthcare delivery organizations as being responsible, flawed devices are still being approved, as the FDA sees the benefits as outweighing the risks.
Searching for Solutions
There are two main solutions – testing and diligence. Without both, smart medical devices will continue to be risky for patients. Depending on how the device communicates, hackers only have to target one patient to gain access to a hospital’s network.
Testing is the first step. Before any device is released to the public, it needs to be thoroughly tested for security vulnerabilities. Manufacturers must ensure they’re partnering with software and hardware developers that are testing every component for any possible flaws.
Diligence means continued monitoring and testing. Once a device is released, it’s not enough to just wait for an issue to be reported. Manufacturers and software developers should monitor network and device activity as much as possible to check for potential attacks. Of course, if anything is found, research it and release security patches immediately.
Security in Progress
The good news is there are new standards in place to improve security in smart medical devices. In fact, noticeable progress has been made in just the last several years. The FDA even created a Medical Device Safety Action Plan and adopted ANSI (American National Standards Institute) UL 2900-2-1 as a universal standard for patients and medical device manufacturers.
While this is a start, medical professionals and device manufacturers have to fully adopt a culture of cybersecurity awareness and prevention. An overall lax culture hinders how well these devices are being secured.
Sadly, it’ll take time for smart medical devices to be as secure as they should be. Until then, even patients should be diligent and keep up with all cybersecurity news related to any medical devices they wear or have implanted.
Image credit: The US FDA