Follow us

Vulnerable IoT devices can stake your breath

The vulnerable medical IoT networked devices are a severe threat to the healthcare system and Patients' life.

Updated: October 11, 2021 By Ozair Malik

IoT medical devices interconnected with each other that are commonly used in Healthcare system

Image source – Shutterstock

Like every other industry, the IoT storm has strongly hit the healthcare system. Undoubtedly, the associated benefits of IoT networked medical devices in patient monitoring, diagnosis, and treatment are outstanding.

Moreover, IoT in healthcare has made the lives of doctors, hospital staff, managers, etc., a lot easier.

But, the proliferation of internet-enabled medical devices has dramatically impacted the overall cyber security infrastructure in healthcare. Also, the security threats, vulnerabilities and, breaches have significantly increased.

The current state of healthcare security can be imagined from the latest HIPPA report, published in the HIPPA journal.

Over the past 12 months, from the start of August 2020 to the end of July 2021, 706 reported healthcare data breaches of 500 or more records, and the healthcare data of 44,369,781 individuals have been exposed or compromised. That's an average of 58.8 data breaches and around 3.70 million records per month!

These devastating figures are enough to predict the increased security risks and threats associated with IoT medical devices (IoTM) soon.

Graph showing number of data breaches occurred per month in US healthcare in the past 12 months

Image source – “July 2021 Healthcare Data Breach Report”, HIPPA Journal

Disclaimer: Please read it before you have a vulnerable pacemaker implanted in your body and you inhale. We are not responsible for the actions of doctors, do not give medical advice, and do not force surgical interventions. This article is for guidance only.

Graph showing number of records breached per month in US healthcare in the past 12 months

Image source – “July 2021 Healthcare Data Breach Report”, HIPPA Journal

Let's discuss Pacemakers, a highly sensitive and critical yet vulnerable medical networked device that could cost your life if not avoided or secured.


What is the Scope of IoT in Healthcare?

Internet-enabled devices are not only used in hospitals directly but also the patients carry them along.

Do you know for what IoT devices are used in healthcare?

  • Remote patient monitoring, diagnosis, and treatment
  • Controlling heartbeats via Pacemaker
  • Controlling heartbeats via Pacemaker
  • Data management and gathering
  • Drug infusion
  • Insulin delivery
  • Eldercare
  • Vital monitoring, etc.

Our data shows that hospitals on average have lost track of 30% of their networked medical devices, making it much harder to protect them against hackers. This is particularly concerning because some 61% of all medical devices on a hospital network are at cyber risk and can be compromised by malicious attackers seeking to steal data, harm patients or ransomware.

Motti Sorani, CTO of medical cybersecurity provider CyberMDX

Now, you can imagine that how deeply internet-enabled devices have penetrated the healthcare system.


Pacemakers

A pacemaker is a small implanted in the Patient's chest to help control his heartbeat. It’s implanted in patients with strong arrhythmia.

I will not get into the working of a Pacemaker because there is much content on it.

Let's dive into the hacking part!

How Medtronic's Pacemakers are hacked?

The first news about pacemaker hacking came out a decade ago, in 2008.

Revealed that are vulnerable and could be hacked. Hackers could modify settings, extract patient data and, hijack its operation. The news featured the researchers at Archimedes center for medical device safety, University of Michigan.

Moving forward, in the 2018 Black Hat Cyber Security Conference, Las Vegas, two researchers Billy Rios and Jonathon Butts, demonstrated that hackers could remotely install malware on the programmer (controller) of Pacemaker. The programmer runs on Windows XP and is designed for the use of doctors.

The vulnerability was present in the programmer's firmware − the firmware update process was not encrypted, which was exploited by researchers. The updates sent to it weren't delivered via an encrypted HTTPS connection. Also, the firmware wasn't digitally signed.

Billy and Jonathon implemented two attacks that could modify the programmer's source code, gain control and harm patients with Pacemaker.

You can obviously issue a shock, but you can also deny a shock.

Jonathon Butts

By the above statement of Jonathon, we can imagine what massive havoc hackers can create by exploiting the vulnerability. Attackers can even kill a patient if they decrease the shock if required in a slow heartbeat or increase it beyond the standard amplitude.

Medtronic developed the pacemaker programmer under discussion. There are over 35,000 such controllers in the market—branded as CareLink 2090. Thus, the life of Patients with Medtronic pacemakers implanted is at stake.

Medtronic's pacemaker CVE's

The vulnerabilities present in the firmware of Medtronic's devices are assigned the tag CVE-2019-6538 and CVE-2019-6540 in National Vulnerability Database (NVD).

Read below the findings termed in both the CVEs:

The Conexus telemetry protocol utilized with in Medtronic MyCareLink Monitor Versions does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product's radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CVE-2019-6538 (Source—nist.gov)

The Conexus telemetry protocol utilized with in Medtronic MyCareLink Monitor Versions does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVE-2019-6540 (Source—nist.gov)

Both the vulnerabilities were disclosed to Medtronic, but their response wasn't satisfying; instead, they continued to justify that their devices were not vulnerable. Moreover, they labeled this vulnerability as a “shallow risk”.

The vulnerabilities in BIOTRONIK Pacemaker

Usually, researchers love to test their products, devices and, applications but, Dr. Moe is an exception, and she has her style of hacking things.

Dr. Maire Moe is a senior security consultant at Oslo-based cybersecurity firm mnemonic. Previously, she was a professor at the Norwegian University of Science and Technology.

An amazing fact;

Dr. Moe had BIOTRONIK CardioMessenger II implanted in 2011. Four years later, in 2015, she initiated the Pacemaker hacking project to security audit the device on which her life depends.

The primary motivation behind the project was that she wanted to know if someone could hack her heart.

She and her team published a report in July 2020 that contained a set of security findings while auditing the BIOTRONIK pacemaker.

The five vulnerabilities found in the security audit were:

  1. Improper Authentication CWE-287
  2. Clear text transmission of sensitive information CEW-319 (CVE-2019-18248)
  3. Improper Authentication CWE-287 (CVE-2019-18252)
  4. Missing Encryption of Sensitive Data CWE-311 (CVE-2019-18254)
  5. Storing Passwords in a Recoverable Format CWE-257 (CVE-2019-18256)

The research was focused on the Home Monitoring Unit of Pacemaker. The HMU directly interacts with both the Pacemaker and Server. That's why it was crucial and exciting from a security perspective.

Another primary motivation behind pentesting HMU was that previous research on this device concluded that the HMU could be modified into a life-threatening “weapon”. One can drain the Pacemaker's battery by using that weaponized HMU.

The detailed report was submitted to CISA, and BIOTRONIK was also informed. Initially, BIOTRONIK didn't issue a security update.

A statement was released mentioning that they have implemented necessary controls to reduce exploitation and prevent patient safety risks. Also, they recommended some safety measures to the patients.


How to secure Pacemakers?

Medical device manufactures are morally obliged to develop products with extreme attention to security. Their products must be free from vulnerabilities, passed through rigorous pentesting and auditing.

Moreover, after-market security support must be provided.

The industry needs to understand that traditional cyber security strategies won't be effective in today's IoT healthcare systems.

It is necessary to have a DevOps mindset for product developers. Also, the CISO's and CTO's need to re-evaluate and design their security policies.

Healthcare CISOs must gain visibility into their entire fleet of devices and incorporate the IoTs and medical devices into their cybersecurity program. They should look at solutions that could help them to automate, provide panoramic visibility into each device, and take control of them. Hospitals must deploy technology that not only identifies a security problem but also solves it – from discovery and detection, to risk assessment and prevention.

Motti Sorani, CTO of medical cybersecurity provider CyberMDX

Additionally, End-Point Management Systems along with efficient Threat Intelligence Systems for Healthcare needs to be developed. Cyber Security Industry and Healthcare must work together to build security solutions specific to IoT Medical devices.


Conclusion

Security threats and attacks on the healthcare industry will rise rapidly in the coming years due to the advancement and popularity of Internet-enabled medical devices across the industry.

Internet of things (IoT) networks increase the cyber-attack surface by multiplying possible access points.

3.6 million Patients' data were compromised in the two most significant healthcare data breaches in 12 months. It’s the figure quoted in HIPPA's official breach report.

Hence, all the stakeholders need to put in serious efforts to secure devices and protect the Patient' lives.

Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Write a review

click to select