The Tell-tale Heart: Is it too Late to Secure IoT Healthcare Devices?
In the horror classic ‘The Tell-tale Heart’, Edgar Allan Poe conjures up a horrifying scene, whereby a murderer thinks he has been revealed by his victim’s heart beating under the floorboards and informing the officers above of his guilt. Well, if Poe was playing on our inherent fear of having intimate secrets revealed, surely even he would not have predicted a literal ‘tell-tale heart’ betraying its owner. Thanks to the unflinching advancement of the IoT, Poe’s vision of horror was not too far wrong.
In Spring of 2016 connected pacemakers by St. Jude Medical were found to be vulnerable to cyberattacks by a leading cybersecurity firm MedSec. Later in January 2017 the FDA confirmed that these tiny devices could be hacked and have their battery depleted, or their pacing altered to deliver shocks or irregular rhythms. WannaCry, the global cyber attack that hit the NHS, Deutsche Bank, and Telefonica to name a few, built upon this extremely concerning vulnerability in the healthcare sector, and highlighted that medical IoT devices are some of the most interconnected and easy-to-access of all.
A study around the same time as WannaCry in May 2017 found that pacemakers in the United States had over 8,000 known vulnerabilities, and implanted device security was almost completely neglected, without even a password to break a hackers stride. This is partly due to the way in which pacemakers communicate, as the programmer has an instrumental role in the setup and structure of the communication channel.
Programmers first initiate the main application on the pacemaker, without the need for a password. Then the pacemaker is ‘interrogated’ with a telemetry wand to receive a ‘token’ and ID information that is then passed to the main application. The main application then launches the pacemaker application that corresponds to that ID information, and the initial programmer switches the channel to Radio Frequency communications that can transfer data further than the telemetry wand.
This means that pacemaker programmers have a fairly integral position in implementing this IoT connectivity, and further, the same researchers found that all programmers can reprogram any pacemaker from the same manufacturer, revealing a huge security risk for these and similar devices that utilize app to app communications within interconnected IoT systems.
It “Shodan’t” Be This Easy
If that weren’t enough to get you quaking in your boots, these devices are also fairly simple to locate, using the IoT equivalent of Google to search and find devices that are suited to even the most junior hacker. This search engine, Shodan, is effectively an inventory of connected devices, from traffic lights to insulin pumps, and allows users to see what level of security is being utilized (usually not more than ‘admin’ as username and ‘1234’ for a password), and subsequently how easy it is to hack this device.
This means that even if all new pacemakers had new secure infrastructures and were invulnerable to direct attack, anyone with malevolent intent could find a vulnerable device and infiltrate a network of IoT technologies that relies on having such an open communication channel between doctors, devices, and patients.
This is a very real and present threat to the IoT healthcare industry, as not only are more unsecured IoT devices being added to the network every day, but in theory a hacker could infiltrate one device and find out a huge amount of personal medical information about an individual from other devices monitoring that person. So what can we do to stop hackers ushering in the fall of the house of medicine?
Normal Patching: Nevermore
The most obvious first step is not to underestimate the scale and scope of this risk: one of the main lessons from the St. Jude Medical case was that any device with firmware (even if smaller than a AAA battery) can be vulnerable to attack. After that, another seemingly simple expert tip is to keep a comprehensive and accurate inventory of connected devices, to help to reduce the risk of a ‘weak link’ being exploited due to, for example, outdated software in the NHS.
But perhaps the most important preventative measure highlighted by Tressa Springman, CIO of LifeBridge Health, is to patch, patch and patch again: “Literally the most aggressive mitigation is to make sure you’re patching.” Although this may seem obvious, defense against hacking is now turning into a fierce cat-and-mouse game, whereby patches are constantly evolving to keep up with new hacking techniques, until a large attack happens and can only be solved by a ‘Big Bang’ patching breakthrough.
It seems like a ‘Big Bang’ reconfiguring of the way in which patching is performed is now due, so that its manual and time consuming nature is streamlined to allow an appropriate response to increasingly aggressive malware. Finally, in the midst of a potential healthcare horror story, an unlikely solution has emerged: keep security patches resilient and up to date, and the threat to medical IoT technologies will (hopefully) be nevermore.