IoMT is a swiftly growing sector. Globally, the market was worth £31 billion ($41 billion) in 2017, and is estimated to be worth around £119 billion ($158 billion) by the end of 2022. From applications that hold electronic health records on handheld devices, to smart hospital beds and medication dispensing systems, the usage of IoMT devices is on the increase. Whilst the increased ease of access and control is useful, there are still potential vulnerabilities, just as with any devices that run software and access network connections.
For example, infusion pumps are familiar to most people - they’re used in hospitals to deliver fluids containing nutrients and medication intravenously, and digital versions have been available for some time. Digitally programming the dosage of a medication limits the capacity for user error. Should the wrong dosage be entered, the pump will simply not function. Connectivity also comes in useful if all the pumps in a hospital are connected to the same network. In the event of a medication dosage requiring an update, rather than a technician manually updating each device, they can simply edit one file, and push the new version out to every infusion pump connected to the network.
As with any device, outdated or exploited software can result in vulnerabilities that leave systems open to being hacked – and for medical devices, this could be a disaster in terms of both sensitive medical data and the potential for endangering lives. A recent study published by Palo Alto Networks discovered that “75 per cent of infusion pumps scanned had known security gaps [...] these shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.” The study also went on to reveal that “52 per cent of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019 – one with a ‘critical’ severity score and the other with a ‘high’ severity score.”
Of course, whilst those statistics don’t make for comforting reading, hospitals and other medical establishments should still be able to protect their patients and effectively mitigate security risks if they have a regular vulnerability scanning and patching schedule, zero-trust access to device configuration panels, and locked-down Wi-Fi networks.
It’s not just hospitals that use IoMT devices, though - there are many similar devices used by individuals at home. In the UK, insulin pumps are increasingly used to regulate the delivery of insulin by people with Type 1 diabetes. These are generally offered to users to help decrease the incidence of hypo- and hyperglycemia, both of which can be fatal if left untreated. Insulin pumps give users a more granular level of visibility and control over their blood glucose levels - fluctuations can contribute to the long-term complications of the condition. Despite their usefulness, not all diabetics use them. In the 2019-20 National Diabetes audit for England and Wales, it was found that around 10% of the Type 1 diabetics in England and Wales were using insulin pumps (for context, there are around 400,000 people with the diagnosis in the UK).
Insulin pump vulnerabilities have previously led to recalls in the UK. In 2019, there was a recall of the Medtronic MiniMed pump after it was discovered that an unauthenticated user within radio range could potentially alter the device’s settings, or even intercept sensitive data. In the US in 2020, the insulin pump manufacturer Omnipod discovered a vulnerability in their insulin pump software, whereby an unauthorised person could potentially take control of the pump by duplicating the communication protocol with a smartphone. In 2019, security researchers in the US discovered a vulnerability in some of the insulin pumps made by Medtronic. After multiple attempts to persuade the manufacturer to release a patch, they built an app to demonstrate how these security flaws could potentially be used to effect a lethal overdose of insulin. This was only an extreme case enacted to prove a point, but it just goes to show the damage that malicious actors could cause.
Ultimately, why would anyone want to hack a medical device? It’s difficult to imagine the motivations that might result in a hacker or group of hackers engaging in such activities. Nonetheless, where a cybersecurity vulnerability exists, there is always a chance that it could be exploited. Where essential medical devices are concerned, a simple software update would effectively mitigate vulnerabilities.
It’s clear that a risk reduction policy should be in place if a healthcare provider is supplying insulin pumps to its patients. Manufacturers should also implement regular scanning of known resources for vulnerability alerts regarding their software, and the flow of communication from the manufacturer through to medical professionals and eventually to the end users should be clearly delegated.
Medical professionals should also educate users on the need for potential updates as well as secure passwords and Wi-Fi connections when they administer the insulin pumps or other IoMT devices.
The World Economic Forum recently called for a global consensus on the integrity of IoT devices - which could grow to include IoMT devices, or at least be adapted to provide a relevant framework. The need for manufacturers and healthcare establishments to collaboratively define a framework, which would swiftly and effectively notify individuals whenever an update is required, is increasingly urgent for all IoMT devices essential to the continued health of individuals.
Our expert cyber partners at Cyber Security Associates specialise in protecting your data, and your business’ data, and keeping it out of the wrong hands. The advent of IoT and IoMT devices offers hackers more and more opportunities to find a way into your network, and with the help of Cyber Security Associates, we offer endpoint-to-cloud security which can be scaled to suit networks with hundreds or even thousands of devices.