During my summer holiday, I stayed at a small hotel, where the owner, a collector of old technology devices, proudly showed me his one and only, still working jukebox. It was made in the 1960 ’s and to my surprise, this was one of the early devices, that gathered data on a microchip: it recorded how many times a song was played. Radio station owners collected this data – not online, of course – and they adjusted their playlist according to listening preferences read from the jukebox.
It’s an ancient example of how data and technology shaped entire industries. Back then a few had the knowledge to read the data from that microchip, the device had to be accessed physically, and the internet was still decades away.
Nowadays, in 2019 when each of us holds a miniature computer, called a smartphone, in our hands, we don’t wonder how technology allows us to have smart doorbells, smart pacemakers implanted in our body, or smartwatches, fitness trackers that record a ton of data every day. Old habits, formed in a time when devices like our jukebox were not able to connect to the internet, are sticking with us: cheaper IoT devices are designed with total disregard to basic IT security practices. I nearly wrote, IT security standards, but unfortunately, when we are talking about IoT, common standards as such do not exist. Lack of IT security means these cheap devices are vulnerable to attacks, data leaks can occur, and to put it just, they represent a significant security risk.
So to continue with bad news, basic concepts of the even most commonly used health IT devices were designed in a time when the internet and IT security were not a major topic. Meaning security was not part of the device by design. This made room for fitness trackers that revealed the users’ whereabouts, or with a little data tweaking exposed locations of military bases, otherwise secret routes of soldiers.
Nearly 500,000 pacemakers had to be recalled updating the software: they were vulnerable to attacks. Fortunately, flaws were not easy to exploit. In this case, vulnerabilities allowed attackers to gain access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker. Despite the dire consequences, the attacks were not easy to pull off, as there was no public exploit code to help attackers develop their attack packages, and exploitation required a high level of skills, that very few programmers possess. Besides, attackers needed to be sufficiently close (few inches) to the target pacemaker as to allow RF communications.
As we also know, healthcare institutions, hospitals are more vulnerable to external ransomware attacks (when attackers encrypt medical data and restore it only if a ransom is paid). Likely reasons include the relatively old age of IT infrastructure, time-critical access to sensitive data, the number of connected devices and the relative lack of expertise in IT security of the medical staff.
And yes, despite all these security concerns mentioned above, we are still advocating the use of health IT technologies. Security is a must by design in every device – and many device makers consider security to be their number one priority. If device makers, software developers in health care follow basic IT security practices – as listed by the UK government earlier last year – products and services that emerge truly serve the need of the people, providing a quality life for patients living with chronic diseases. Data based decision for healthcare professionals means that a better diagnose is formed, substantiated decisions are born. So yes, please use secure, tested, quality devices and solutions to make your health better!
PS: If you are too busy search the internet for the code of practice proposed for IoT devices, the list is here:
Code of Practice (in priority order):
1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
4. Securely store credentials and security-sensitive data
5. Communicate securely
6. Minimize exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is protected
9. Make systems resilient to outages
10. Monitor system telemetry data
11. Make it easy for consumers (patients) to delete personal data
12. Make installation and maintenance of devices easy
13. Validate input data
Author: Zoltan Mathe