Encryption standards for medical devices ‘need to be mandatory’
- 31 July 2019
Encryption standards need to be legally enforced to “shut the back door” on potential cyber security breaches that could put people’s lives at risk, an internet of things (IoT) company has warned.
Pangea Connected’s system developer, Dr Arslan Usman, said IoT medical devices need to be better regulated, including making firmware and software updates “mandatory” for both developers and users, to boost cyber security efforts.
It comes after medical technology company Medtronic identified “potential security vulnerabilities” in a selection of its insulin pumps in June.
“The vulnerability allows a potential attacker with special technical skills and equipment to potentially send radio frequency signals to a nearby insulin pump to change settings, impacting insulin delivery,” according to a statement on the company’s website.
Changing a diabetic patient’s insulin levels can result in blood sugar levels spiking or dropping, diabetic coma and, potentially, death.
The Medtronic MiniMed 670G insulin pump is one of the most common pumps used in the UK, with some NHS areas prescribing it. It was not affected by the vulnerability, according to Medtronic.
Dr Usman told Digital Health: “Just like any other device with an operating system and a network connection, unsecured medical IoT devices can be tampered with by a determined hacker.
“The most common hacking attacks (DDOS) can cause medical devices to malfunction, which may put a patient’s data and even life at risk.”
Dr Usman said devices need to be updated regularly, with any failure to comply resulting in the device being removed from the market, in order to protect patient safety.
Encryption standards like Data Encryption Standard (DES), Advanced Encryption Standard (AES), RSA Encryption, should also be enforced, he added.
“Furthermore, firmware and software updates need to be mandatory for both device developers and users. Don’t leave updates waiting; it gives hackers time to find weaknesses in the software,” he added.
“Manufacturers and developers need to implement these standards with regular updates in order to keep their tech’s defences airtight.
“As a follow-up, they should recruit ethical hackers to test defences and find security blind spots in their products and services; this helps manufacturers can stay ahead of cyber crime and provide a secure experience for their IoT device users.”
Digital Health’s cyber security expert, Davey Winder, warned the risk of IoT medical devices being hacked is “very real indeed”.
In August 2017 the US Food and Drug Administration recalled nearly half a million pacemakers sold by St Jude Medical over fears that the device’s firmware could be hacked and re-purposed, with potentially deadly consequences for users.
“These aren’t threats waiting to emerge, these are attacks that have happened already. From drug pumps through to medical imaging equipment, the devices themselves and the management platforms they sit upon are vulnerable and then some,” Winder said.
“For as long as medical devices remain in use that do not encrypt communications, that cannot be patched when a vulnerability is exposed, that do not take security seriously enough, then the risk to patient health will also remain.”
They aren’t the first to warn hacked medical devices could result in patient deaths.
Last year David Emm, a leading cyber security expert at Kaspersky Lab, told Digital Health that, if left vulnerable to cyber-attacks, invasive devices such as pacemakers and insulin pumps could have deadly consequences for those who use them.
A March 2018 report from the Royal Academy of Engineering urged medical device manufacturers and those who use them to make cyber security a thoroughly considered part of the design process.
It warned that – unless designers of digitally-connected medical systems enforced more rigorous risk management procedures – health devices could have “severe consequences” for patient safety, including physical harm to patients themselves.
Dr Usman added: “Policy makers and government bodies need to regulate IoT device manufacturers, in order to ensure the highest cyber security standards across the board. Though it’s largely the manufacturers responsibility to provide cyber security, users also need to be vigilant and take measures themselves to keep software updated and add security layers where they can. In other words: shut the back door.”
1 Comments
I work with these devices on a daily basis and agree that there should be mandatory programming for security vulnerabilities. St. Jude Medical/Abbot addressed their security issue with a software upgrade, however many clinics have yet to download the software. I’m not sure all clinicians take the threat of cyber attacks seriously.
Comments are closed.