Security Challenges for Medical IoT Applications
Security Challenges for Medical IoT Applications
January 22nd, 2020
Smart devices in the medical area are exponentially growing, as are their security risks and privacy concerns associated with the sensitive data they host and exchange. AT&T has been collaborating with university partners to explore the challenges presented by smart devices in medicine. This is a target rich environment with many critical medical applications. It’s not hard to find key areas with unaddressed security concerns. These are often domains where security expertise has lagged other technological leaps. Vendors rush products to market with a naïve view of security risks, often discounting dangerous or malicious behavior as just “highly unlikely.” But the landscape of documented attacks shows a different picture, revealing that healthcare providers, doctors, and patients are exposed and at risk.
Some security concerns in the field of medicine are common to other technology domains, but some are unique and require new thinking, especially with IOT devices in the mix. An example of a common concern is interoperability between software applications. The ability to enforce privacy rules when data standards differ across administrations is a challenge. The differences in patient record file formats in Europe and the US can force different technical solutions. Interoperability, backward compatibility, and usability have always been challenges. Now IOT devices create new data flows, formats, and engineering requirements. In the medical device ecosystem, there are many legacy devices still in use; management and connectivity of these devices for device management in larger environments like a homecare unit or hospital environment needs planning and preparation. Additionally, the key to a secure medical IoT device is one that is protected, securely managed, and audited, yet requires very little to no additional training for use. Medical staff interacting with these devices have enough on their plates without learning special procedures for handling many device types.
Basic security principles still form the core of our research. Ensuring users are properly authenticated, and that their privileges are controlled is critical. Beyond authorization, medical data must be validated and kept safe from tampering or disclosure. In the United States, all patient medical data is protected by law under HIPAA. Tampering in any form can have life-threatening consequences. Providers must monitor device health, control and audit access, and ensure that they can patch devices when they are able to. Malware, ransomware, and DDoS attacks have been demonstrated in hospital environments. Controlling device access without curtailing effectiveness of patient care or quality is a new and complex challenge.
Medical IOT use cases span a wide array of technologies for different diseases. Our research exploration areas include the following examples:
- Wound management devices like smart bandages may have the ability to analyze the wound recovery progress or check for infections and deliver medication accordingly, per doctor’s approvals. With improving sensor technologies that may monitor pH, oxygenation, temperature, and other metrics, traditional medical first aid may be transformed. With potential for such efficient feedback loops, security is critical for data accuracy and privacy.
- Smart surgical implants can adjust to minute changes in conditions and improve the efficacy of everything from connected pacemakers, smart stents, hip replacements or other prosthetics. Prosthetics can even integrate with the human nervous system to provide more natural functions, providing immeasurable improvements in quality of life. The speed and authenticity of the data exchanged is vital for an enhanced patient experience.
- Chronic conditions like heart disease or diabetes may eventually rely on feedback loops to monitor conditions for progress and automate alerts to critical events. For example, blood glucose monitors can measure sugar levels and trigger insulin pumps to deliver the appropriate dosage with doctor’s approval. But what if these loops are tampered with? The closed loop medical care area is growing with increased research in the artificial intelligence space focused on automating medical care for a wide range of endocrinological applications and connected wearables in our device ecosystem. Security, especially in areas concerning data confidentiality and device availability, is important in these applications to consider and proactively mitigate.
- Imaging is a critical function but is often done remotely due to cost pressures and accessibility. This presents unique data security problems of privacy or loss of integrity. Image data can even be hacked to misdiagnose patient disease. We’ve seen cases of insurance fraud via image tampering. Telemedicine has increasingly gained adoption in the industry and sharing image data at high speeds and integrity may be critical in life-saving situations.
- Neurological conditions provide a broad category of applications ranging from sleep support equipment to mental health support. For example, smart beds or connected pillows may support bedridden patients distribute circulation and smart bracelets may monitor individuals for risk of stroke and help mitigate epilepsy induced deaths. Other technologies in this space include connected devices reporting brain activity and providing individuals assistance or diagnostics based on the information recorded and reported. These devices may provide life-critical support and would require security against cyberphysical tampering and protection of the sensitive information from malicious actors.
With every solution, there is a new attack surface for malicious actors to exploit, injure, or disrupt services. Medical IOT presents a huge business opportunity and ethical impact for a carrier like AT&T because of the secure transport we offer and the application security standards that our products and services are built to meet. These are complimented by our ongoing work in anomaly detection, vulnerability scanning, secure firmware updates, malware detection, remote attacks detection, and DDoS prevention.