IoT Medical Devices Security Vulnerabilities on Wi-Fi Networks
The Internet-of-Things (IoT) is gradually realizing a radical transformation of healthcare services based on the deployment of numerous medical devices, which already represent a considerable segment of the billions of internet-connected devices that are nowadays available.
IoT medical devices security vulnerabilities affects many different types of in-hospital equipment including diagnostic equipment (e.g., MRI (Magnetic Resonance Imaging) machines and CT (Computerized axial Tomography) scanners), therapeutic equipment (e.g., infusion pumps and medical lasers) life support equipment (e.g., heart support machines), internet-connected devices for monitoring patients vital signs (e.g., thermometers, glucometers, blood pressure cuffs, wearables), as well as novel, intelligent and disruptive devices which can keep track of medication schedules (e.g., GlowCap outlets and AdhereTech wireless pills).
These devices are used in conjunction with mobile terminals (e.g., tablet computers, smart phones) which enable health professionals both to configure them and to visualize their data. Moreover, several IoT applications integrate RFID tags, as a means of uniquely identifying and associating with each other devices, patients, doctors, drugs, prescriptions and other artifacts engaging in the care service provisioning process. While several of the above listed devices can be deployed in the patients’ homes, the majority of them are deployed in the hospital environment.
In principle, IoT technologies enable the processing of data and the orchestration of services from all these devices in order to facilitate health professionals to access accurate and timely information about the patients’ status, but also to configure disease management processes for prognosis, diagnosis and treatment. Beyond disease management, the deployment of medical devices in the hospital can be also used to boost the efficiency of hospital operations.
As a prominent example, the continuous monitoring of medical devices can serve as basis for reducing their downtime. Likewise, devices emit notifications that can trigger proactive maintenance and replenishment of supplies. Furthermore, information from medical devices can be exploited in order to optimize resources utilization and patient scheduling. Based on these processes, healthcare will become a setting that will annually contribute over $1 trillion to IoT’s business value by 2030, as projected by a recent report of McKinsey Global Institute.
IoT Medical Devices Security Risks
The expanded use of IoT medical devices in hospitals raises serious privacy and security challenges, given the proclaimed and widespread vulnerabilities of wireless devices. IoT medical devices security vulnerabilities has always been a concern for applications, but in the case of healthcare it is a matter of life and death. Indeed, beyond compromising patient’s data confidentiality, security vulnerabilities can have life-threatening implications, as IoT devices are used to control medication or even to drive surgical interventions and other therapeutic processes.
Since commands to several devices are transmitted wirelessly, hackers can invade the wireless network in order to gain control over devices and transmit unauthorized commands with fatal results. For instance, a malicious attack against an insulin pump can lead to a wrong dose to a diabetes patient. As another example, the hacking of an electrical cardioversion device could instigate an unnecessary shock to a patient.
There is a host of different IoT medical devices security vulnerabilities easily include a non exhaustive list of common attacks includes:
- Password hacking: It is quite common for medical devices to be protected by weak passwords that can be hacked. This is the case when the built-in passwords provided by the device vendors are maintained.
Hackers can easily discover such passwords in order to gain access to device configuration information. Moreover, in several cases, hackers are also able to control the device and use it to launch more advanced attacks.
Poor Security Patching: Some medical devices are poorly patched, either because some patch has not yet been deployed on the device or because the device runs an “old” operating system (e.g., an older version of Windows or Linux). Poorly patched devices are vulnerable to malware and other attacks, which makes them an easy target for hackers.
Wi-Fi: The weak link in IoT Medical Devices Security Vulnerabilities
Denial of service attacks: Medical devices are usually lightweight and resource constrained, which makes them susceptible to denial of service attacks. The transmission of simultaneous requests to the device can cause it to stop, disconnect from the network or even become out of order.
Unencrypted data transmission: It’s quite usual for attackers to monitor the network in order to eavesdrop and steal passwords. The transmission of unencrypted data can therefore ease their efforts to gain access to the device in order either to extract information or even exploit the device for transmitting malicious commands.
Most of the medical devices are Wi-Fi enabled, which renders Wi-Fi the technology that carries the vast majority of the traffic that is exchanged between medical devices. However, Wi-Fi networks are conspicuously associated with IoT Medical Devices security vulnerabilities , which make them the weak link. For example, the WEP (Wireless Encryption Password) mechanisms that empower Wi-Fi security are weak, as WEP passwords can be easily stolen.
This can accordingly enable hackers to launch attacks based on the sniffing of unencrypted traffic. In order to alleviate WEP problems, IEEE and the Wi-Fi community have specified and implemented Wi-Fi standards and protocols (e.g., WPA2, WPA2-PSK (TKIP/AES)) with much stronger encryption capabilities. Nevertheless, not all medical device vendors provide proper support for these standards, putting the operation of devices and their interoperability with others at risk.
In recent years, special emphasis has been given in producing standards and best practices for securing wireless medical devices, on the basis of the implementation of appropriate authentication and encryption mechanisms.
This has led to the specification of IEEE 802.1X, which is a ratified IEEE standard for network access control. 802.1X is flexible and supports a variety of Extensible Authentication Protocol (EAP), including EAP with Transport Layer Security (EAP-TLS) and Advanced Encryption Standard (AES) encryption. The latter provides two-way authentication between devices based on the installation and use of X.509 certificates.
Alleviating IoT Medical Devices Security Vulnerabilities
The vision of IoT enabled hospital care cannot be realized without very strong security. CIOs and IT managers of healthcare services providers cannot therefore afford to treat security investments with caution, in an effort to reduce budgets which could ignoring low-probability risks.
Rather, they should adopt a holistic approach to securing medical devices and their operation, spanning technology, processes and security policy aspects.
At the technological forefront, latest Wi-Fi technologies offering strong security and encryption features should be deployed and tested.
This may involve purchasing technologically advanced equipment and testing it in terms of security features, configuration problems, wireless stability and more. There is also a need for medical engineering processes in order to ensure that IoT-enabled process provide high security levels.
IoT medical devices security vulnerabilities is particularly important in the case of the trending BYOD (Bring Your Own Device) services, which involve the deployment and use of third-party devices as part of healthcare processes.
Moreover, as part of the holistic security approach, hospitals must tweak their security policies in order to keep up with IoT-related technological developments.
The right technology, the proper processes and an IoT-aligned security policy provide a sound basis for hospitals to adhere to security and privacy regulations, to avoid relevant liabilities and ultimate to maximize returns on their IoT investments.