The prospect of malicious actors targeting IoMT devices is terrifying for a number of reasons. First, the individual devices themselves are vulnerable. Most IoMT devices contain personal health information (PHI), have zero cyber protection, and are not connected to a managed network. This means that a hacker could steal a patient’s vital and confidential health information from his or her device without the patient even knowing. Further, a hacker could perpetrate a ransomware attack, effectively taking control of a remote care device and demanding money from the manufacturer in exchange for a return to normal operation.
Patients’ lives depend on these devices and an attack on a device could prove lethal. And in light of the recent hacks targeting hospitals, the U.S. Department of Health and Human Services and the World Health Organization (WHO), it’s clear that cyber-criminals are exploiting the coronavirus crisis to wreak havoc.
Understanding device vulnerability
How deep is the threat? Researchers from Singapore University of Technology and Design recently found multiple Bluetooth vulnerabilities that allow hackers within radio range of a device to access, attack, and completely crash a device. Dubbed “SweynTooth”, the multiple Bluetooth vulnerabilities are especially dangerous for medical devices. The FDA even warned manufacturers that “glucose monitors, insulin pumps, pacemakers and stimulators,” and “larger devices in healthcare facilities like ultrasound devices or monitors” are especially vulnerable.
Cyber criminals are all too aware of these weaknesses – and for the malicious hacker looking to reap financial gains or simply trigger mass chaos, remote care devices may become a target of choice.
In response, many chip and medical device manufacturers are checking their devices for vulnerabilities. But this approach doesn’t offer an easy fix in the healthcare realm. Vulnerable IoT devices can be patched, but patching is a losing game as more vulnerabilities will be found in the cat and mouse game between hackers and cyber security experts. This keeps devices unsecure, and whether they are connected to a network or not, the risk remains.
The threat to life and safety
If hospital-commissioned remote monitoring of patients via devices like pacemakers and insulin pumps can be compromised or shut down by cyber hackers, how can device manufacturers keep patients safe and not the targets of the next great hack?
Because it takes the hack of only a single IoMT device to risk potentially catastrophic damage, true IoMT cybersecurity protection requires manufacturers and OEMs to implement solutions that protect individual devices, not just networks.
With every line of code and new functionality that’s added to a device, new vulnerabilities and attack vectors emerge. Patching can be an effective tactic for thwarting cyber-attackers, but it isn’t a strategy. Device manufacturers must be able to detect cyber breaches in order to stop attacks in real-time. By embedding protection on distributed devices themselves, manufacturers can focus all of their resources on identifying and stopping attacks, regardless of vulnerabilities on the targeted device. Plus, enabling OEMs to monitor devices in real-time only strengthens their ability to act in a timely manner.
Over the coming years, millions more patients will see first hand the life-saving benefits of advanced, Internet-connected medical devices. Indeed, Business Insider Intelligence projects that the global IoMT market will spike from $41 billion in 2017 to $158 billion in 2022. Getting this multibillion-dollar opportunity right is crucial for the patients whose lives depend on it – and getting it right starts with getting smart about cybersecurity.
Committing to true protection is especially urgent in the face of the current coronavirus pandemic. Malicious hackers are already taking advantage of the chaotic situation. As governments and healthcare facilities worldwide increasingly push for telehealth solutions, hackers’ opportunities are rapidly multiplying.