Security and the Internet of Things: Implications in Healthcare
The Internet of Things – the increasingly diverse hodgepodge of devices that can connect to a network – has been considered a security risk for years. Although the IoT brings to mind FitBits and Phillips Hue lights, no one is very concerned about whether someone knows whether they hit 10,000 steps today. Although these are the most heavily marketed, these are not actually the most common IoT devices. The most common IoT devices are the ones you aren’t thinking about — pacemakers, blood glucose monitors and insulin pumps.
Suddenly, a security vulnerability involving these devices seems much more serious.
It’s not science-fiction. Security researchers have figured out to remotely control an insulin pump, allowing hackers to pump deadly amounts of insulin into the victim. Someone using a laptop more than 50 feet away from a victim can remotely hack a pacemaker and deliver a fatal shock. If you thought last year’s expose on wirelessly taking over a Jeep was alarming, this is the stuff of nightmares.
Of course, you can’t just build “secure devices”. What makes devices secure is a combination of mindful construction as well as rigorous security testing. So far, security researchers are the ones who have identified the exploits listed above. As yet, there are no publicized accounts of hackers harming anyone through their medical devices. Of course, this would be difficult to prove.
When Will We Dream of Electric Sheep?
As the recent battle between the FBI and Apple demonstrates, the views of the general public are rapidly swinging toward stronger encryption and security as they can see themselves directly affected. Whether it’s phones, automobiles, health records, or the implanted medical devices that keep us healthy, these issues are cutting increasingly close to the bone (pun intended).
9.3% of the population has diabetes. Half the population is at risk for heart disease. That’s a lot of pacemakers and insulin pumps. And of course it isn’t just those devices. Many people are monitored on an outpatient basis using wireless devices. Not that the devices inside a hospital are immune to vulnerabilities, either.
Why Are Medical Devices so Vulnerable?
The IOT in general is vulnerable because of how many pieces need to interact. The general gist is that the device talks to the network which talks to other things. A network can be secured, and the device may be secured, but in general, the way the network talks to the device is highly insecure.
Of course this is a gross oversimplification of a very complex problem. It doesn’t help that people frequently interact with devices in ways that are insecure. Many people don’t even passcode their phones. Even end to end encryption won’t help in the face of user error.
With medical devices specifically, the situation is complicated by the fact, that the users are frequently elderly. You don’t interact with a pacemaker, but a blood glucose monitor needs to be user-friendly. Additionally people who are ill frequently have several people helping to care for them. This complicates security matters somewhat on the user permission aspect. In a hospital situation, there are many structures and procedures in place to ensure that someone empowered to oversee the situation gets the information to the people who need it even if they cannot access it personally. However, in a home care situation, as it is becoming increasingly common, roles and responsibilities are frequently fluid. These difficulties can be somewhat mitigated by remote oversight, but this adds another layer of complication technology-wise.
The problems facing healthcare security are exceedingly complex, and will take considerable effort on the part of IT professionals to solve. However there can hardly be another security pursuit which has more of an impact on quality of life.