Do No Harm. Matthew Webster
but a global problem.
The problems are only growing worse as a result of COVID-19. Along with COVID-19 are some trends that are changing the technology landscape comprising medical care. Some key considerations are telehealth, home healthcare, and remote patient monitoring—many of which are tied to internet-connected medical devices. Each of these technologies has its own set of challenges and cybersecurity risks that correspond to those challenges. Let's briefly take a look at some of these trends.
Telehealth
Telehealth is essentially providing medical services remotely. It is important in this context as medical devices are often used to enable remote communication. What is interesting to note is that access to telehealth is dependent, in part, on income. The pandemic has proven the “generalizability of telehealth,” the CMIO of NYU Langone Health stated, where virtual visits have skyrocketed since COVID-19 lockdown measures have been in place. Meanwhile, HHS recently awarded $20 million to increase telehealth access.26 This, along with the pandemic, is only going to accelerate the demand for telehealth.
Home Healthcare
The growth of home healthcare is staggering. It is estimated that it will grow more than 18%.27 Presently, there are roughly 1.4 million people employed in home healthcare services.28 2015 was the first year that more money was spent. The global home healthcare market size was valued at USD 281.8 billion in 2019 and is expected to grow at a compound annual growth rate of 7.9% from 2020 to 2027. Population aging around the world and increased patient preference for value-based healthcare are anticipated to fuel market growth. According to the World Health Organization (WHO), there were 703 million persons aged 65 years or over in the world in 2019. The number of older persons is projected to double to 1.5 billion by 2050. The aging population demands more patient-centric healthcare services, which in return increases the demand for healthcare workers and agencies and is anticipated to drive market growth.29
Remote Patient Monitoring
Remote patient monitoring is critical for today's world. The best way to do that is with biosensors. Presently there is an 8% CAGR for biosensors, and the total market is expected to be over $29 billion by 2024.30 The demand for sensors of various kinds will be growing. COVID-19 has already accelerated that trend.
From a numbers perspective alone, it is clear that connected medical devices are not going away. They provide too much value for patients and institutions. All that said, having more devices that are less secure than they should be is creating more opportunities for hackers. Some of the problems are due to more records being digitized as part of the Affordable Care Act, but connected medical devices are most certainly a major concern for organizations.
The Road to High Risk
The key foundation for commerce is trust—trust in the exchange of money and/or good and services. Without trust, trade becomes riskier and less likely to happen. A thousand years ago you could touch, feel, see, and work with products. Today, in the IT world, we test products, read reviews, talk to peers, and so on. We install them, ensure the functionality, and do what we can to see if they work.
What is sometimes difficult to tell is how secure the product is. I once worked with a piece of software designed to examine security requirements. It did not meet many of the requirements it was examining in other products. While this may seem very rudimentary, it is not that uncommon for vendors not to do as they ask others to do. One famous case where this happened was a company formerly known as Bit9—a company that provides security protection software. They were hacked, but they did not use their own software to protect their environment. If they had, they would not have been hacked.31
What may be surprising to some of you is that some medical devices are built with old or outdated operating systems.32 What this means is the systems are full of weaknesses (called vulnerabilities in the security world) that can be exploited by hackers. The vulnerabilities are often so severe that the entire system can be compromised. Every shred of data related to the system can also be compromised. What is worse, that system can then be used to compromise other systems in a hospital. The fact that so many systems have severe vulnerabilities compounds the problems of security practitioners trying to protect the hospitals in the first place.
To make matters worse, in many cases the interface to the machine completely obfuscates the operating system, making it difficult to assess the underlying technology. The manufacturer can also add security on the front end of the medical devices, making it seem as though the security is high. For example, some systems will provide strong password requirements such as long password length, complexity, password rotation, and so on, making it seem as though the system is built securely. That aspect of the system may be relatively secure, but not necessarily the rest of the product.
Many of you may be thinking that this is an old issue and that operating systems are usually up to date. The hard reality is that these outdated operating systems are almost par for the course when it comes to internet-connected medical devices. Recently Palo Alto Networks put out a report demonstrating that 83% of medical imaging devices had operating systems that could not be updated.33 This is very serious as it means those operating systems have vulnerabilities that were not previously known and they cannot be remediated. From a hacker's perspective, these internet-connected medical devices are a metaphorical gold mine—not only because they have data, but also because they are relatively easy to hack—often allowing hackers to jump from one system to another within an organization.
This very same idea can be applied to other internet-connected medical devices that do not utilize a full operating system. In those cases, the system has a very small operating system known as firmware. On a personal computer firmware can be updated very easily, but devices that are very small with firmware only may or may not be updatable—cybersecurity patches cannot be applied In some cases, what is included is unalterable. The unalterable nature of the device is referred to as hardcoded. This is where passwords are hardcoded into some of the devices.
Processors are another avenue of attack. In January 2018, two new processor vulnerabilities, Spectre and Meltdown, hit the news and security staff across the world like a ton of bricks. They uncovered, and subsequently demonstrated, flaws in the way that motherboards were designed over the last few decades. As a result of the motherboard flaws, operating systems could be compromised in ways that previously the hardware would have provided some protection. Ultimately, if an attacker had access to a system, data could be exposed by the combination of the two vulnerabilities (of which there are three variations). For Meltdown, an attacker gains access to data they normally shouldn't see by “melting” the division of protected memory normally enforced by hardware. Spectre, on the other hand, is about making a system reveal data that it should not reveal to the attacker.34
Both Spectre and Meltdown are examples of what were zero-day vulnerabilities—flaws that, at the time, were out but, as they are too new, do not have remediation. Hardware (such as motherboards), operating systems, and internet-connected medical devices are all prone to zero-day vulnerabilities. They are the bane of IT and security practitioners alike. They are the kind of situation, due to the severity of the vulnerability, that requires companies perform out of band patching (also called emergency patching), which can seriously disrupt