Cyber security: the risk posed by smart medical devices

01 March 2018

0 comments

As medical devices and technology  become ever more sophisticated, security becomes ever more important. Security by-design, not reactive measures, should become the guiding principle.

The headlines that followed in the wake of the WannaCry[1] ransomware attack in May 2017 highlighted the vulnerability of hospitals’ systems to cybercrime. But what was largely unreported was that a number of key medical devices were also vulnerable to the attack. Manufacturers of 11 devices in the US issued warnings and several confirmed that their devices had been affected. That’s a significant development, because as devices become more connected, and generate and store more patients’ and clinical data, they offer both an attractive resource to would-be hackers and expand the attack surface that the increasingly connected health ecosystem presents.  

Personal medical information is a potentially rich target for those with criminal intent.  It often includes not only personal identity details, but in many cases financial information too. Not only are cybercriminals able to extract simple identity or financial information, they may be able to gather details about specific medical conditions that can be used to perpetrate insurance fraud.

Research by PwC in the US reveals that the number of device vulnerabilities reported by manufacturers increased more than ten-fold between 2014 and 2017, from two to 25[2]. Hospitals alone are likely to have many thousands of devices connected to their network, from MRI and X-ray machines to a host of smaller devices.  Some hospitals will not have a clear idea of exactly how many such devices they have, and that lack of visibility is compounded by variable purchasing and networking controls. Many of these devices were never originally designed to be online.

Of course, devices in hospitals are only one potential source of vulnerability. The growing use of mobile devices by patients for accessing health services such as remote GP consultations is further expanding the potential for security breaches. As more and more patients’ information is shared and stored online, its security becomes ever more important.

2

However, access to sensitive information is not the only cause for concern. Many devices that directly control an individual’s health or treat a condition could be susceptible to malicious actions, with potentially dire consequences for the patient. For example, a pacemaker is likely to have an accompanying base unit that receives data over 3G, 4G, Bluetooth, WiFi, or other frequencies and protocols. Broadcasting over the same networks that carry conventional signals, the pacemaker could easily be jammed or interfered with, presenting clear threats to an individual’s safety.  Many devices are available to purchase online with the result that they can be reverse engineered to identify security flaws and exploit them.

And now medical devices are becoming ever more sophisticated. For instance, think about the implications of developments we’re seeing in brain computing interfaces (BCIs). These work using EEGs that show brain activity. They are currently being used in gaming and other industries, as well as in health, but the privacy implications (hackers being able to infer a person’s innermost reactions to stimuli) are concerning. Academic research in this area shows that BCIs can be used to detect, for instance, when an individual is lying or when they recognize their pin number.

It’s clear that all hospitals and health organisations face some serious cyber security issues. So, what steps should they be taking to address them? It’s fair to say that many (if not most) health providers are paying much more attention to security. But the challenge is that advances in medical technology are moving so fast, that the main concern is (rightly) the delivery of the best care to patients. That means security tends to be an afterthought rather than an upfront consideration

That’s what needs to change. Security by-design, not reactive measures, should become the guiding principle.  And this needs to be an across the board effort. Manufacturers need to embed security into their products, but the health providers using them also need to make careful choices about how they deploy and connect devices.  Patients, too, have a role to play by taking responsibility for the security of their own health data and may need education and coaching to understand how they can minimize the risks to which they are exposed.

Given this constantly changing threat landscape it’s vital that organisations stay on top of their risks. Our teams at PwC have both technical and strategic analysts who can support clients in understanding their own specific threat profile including those specific to medical devices. You can read more here about our work in the cyber field or contact one of our experts here.

 

[1] https://www.ft.com/content/f6cd3e38-388a-11e7-821a-6027b8a20f23

[2] PwC Health Research Institute Provider Executive Survey, 2017