What can we do about medical device security?

By Brad Smith

The infamous security vulnerabilities in medical internet of things (IoT) devices need no introduction. For the last few years, we’ve been hearing warnings from researchers about weaknesses in a range of connected devices from various manufacturers. The risks range from exposing patients’ sensitive data to outright hijacking of devices, with potentially lethal consequences.

There is no denying that medical IoT is a huge step for medicine, and many IoT devices are life-saving for patients. But we can’t overlook their obvious weaknesses and associated risks. What can patients, clinicians, and regulatory bodies do to improve the situation?

Patients can take action

Users have limited power when it comes to securing medical devices, but there are still some steps they can take to improve their safety.

For password-secured devices, it’s essential to set a new password as soon as possible. Manufacturers have been known to preinstall the same password on several device models, making them incredibly easy to hack. A good password is a random string of letters, digits, and characters—preferably generated by a password generator. If a device has a Universal Plug and Play (UPnP) feature, it’s best to simply disable it. UPnP allows IoT devices to discover and connect to other network devices. This gives hackers another avenue for infiltration.

Another simple technique for patients to protect connected devices is downloading a virtual private network (VPN) app for use with their home router. A VPN encrypts internet traffic and protects the data stream from snooping eyes—whether they’re hackers or just advertisers. VPN apps can be downloaded directly onto a smartphone, laptop, or tablet, but not most connected devices. Running a router’s traffic through a VPN helps to bypass that limitation as the VPN encrypts all of the router’s incoming and outgoing traffic, including the traffic generated by connected devices.

Unfortunately, this strategy only works with devices used at home, such as vital monitors or telehealth appliances. Any device situated outside the patient’s secure home network is still vulnerable to cyberattacks.

Clinicians’ role in ensuring safety

In an article in the February 2019 Journal of Emergency Medicine, researchers detailed the execution of three clinical simulations designed to teach clinicians to recognize and prevent patient harm from compromised medical devices. The physicians who were part of the study admitted to being completely unaware that a hacked device could harm the patient. This lack of awareness shows that clinicians are insufficiently equipped to  prevent patients being harmed by their medical devices.

Using connected devices in healthcare brings a whole new set of threats to patients’ health and introduces additional responsibilities for clinicians working with these technologies. Healthcare organizations need to educate clinicians on the kind of risks that medical IoT devices carry and the necessary steps to take should the worst happen.

Clinicians must be able to recognize when a device malfunctions. As soon as an error is identified, it’s important to stop using the device to prevent possible harm and report the incident through the appropriate channels.

Healthcare organizations need to also ensure that connected medical devices used in their facilities have the latest software. Software updates are a way for manufacturers to patch any existing security vulnerabilities, so these updates are essential in ensuring patient safety.

We need regulatory change

Cybersecurity awareness from both healthcare organizations and patients goes a long way. However, the most important change needs to come from regulatory bodies.

Manufacturers famously underplay the security vulnerabilities of their devices and try to convince patients that the devices’ benefits outweigh their risks. It would be naive to hope that manufacturers will implement top-quality security testing without a legislative push.

There are three main areas of product design and manufacturing that need to be regulated with stricter laws. First is authentication: issuing certificates for healthcare devices to make sure only authorized users, messages, or services have access to the device. Second is encrypting all devices by default so information can pass privately between the patient and the authorized healthcare organization. Patients shouldn’t need to pay for and install a VPN service to be protected. Lastly, there should be a system in place to run automatic checks on every device and ensure their integrity is always up to date.

This year, the FDA released the Medical Device Safety Action Plan, likely in response to a flood of complaints about insufficient regulations. The document outlines a plan to “explore regulatory options to streamline and modernize timely implementation of postmarket mitigations,” which is promising but vague. Time will show what these regulations will look in practice.

The future of connected medical devices

IoT is here to stay, and we’ll only see more devices that use it. There’s no denying that connected medical devices have a huge potential for saving lives. But we need to ensure we’re not opening up an avenue to harm patients in the process.

The ideal future would bring a combination of stricter regulations, more thoughtful manufacturing, better clinician training, and greater involvement from healthcare organizations.

Brad Smith is a technology expert at TurnOnVPN, a nonprofit promoting a safe, secure, and censor-free internet. He writes about his dream for a free internet and unravels the horror behind big techs.