[Article] Security of connected medical devices: a gateway to cyber attacks

     By integrating a heart rate monitor into its connected watch, the Apple brand entered the connected healthcare sector in 2015. The year it was released, an American had even been saved by his Apple Watch. Worried about his gadget, which pointed out the irregularity of his heartbeat, he went to the emergency room and discovered that he was suffering from a rhythmic disease of the earpiece. This example demonstrates the opportunities of connected health: between ultra-personalization of treatments, self-medication, automated diagnostics and connected medical equipment, the changes brought about by emerging technologies will indeed revolutionize the health landscape as it currently exists.

     According to a study by Grand View Research, in 2016, 73 million health devices were connected worldwide. By 2020, there will be 161 million (1). Estimated at €2.7 billion in 2014, the French market could reach €4 billion in 2020 (2). Growth will be driven mainly by three trends: the increase in the average age of the world population, the prevalence in some countries of diseases requiring regular monitoring (such as diabetes) and the growing demand for quantifiable fitness solutions. Today, the Internet of Things (IoT) applied to health is dominated by wearables (bracelets, watches or any connected clothing), which in 2015 represented 60% of the market for connected medical devices.

It should be highlighted that despite the benefits that the development of connected health and telemedicine will bring to our health system, these two new paradigms are challenging traditional professional organizations and undoubtedly raise ethical, legal and technological issues. The lack of interconnection of computer systems is a major reason for the fragmented sharing of patient information. Moreover, these same data represent an inexhaustible financial windfall for hackers. The safety of these devices is still in the embryonic stage. This article provides a state of the art on new medical devices connected through the prism of safety.

Part 1. Connected Health Ecosystem

1.1 – Definitions of terms (e-health, telemedicine, medical devices, etc.)

     Health systems are evolving and digitising. The integration of equipment connected to health support functions is profoundly disrupting his practice. Connected health affects industry, personnel, care and health applications at the same time. It consists of the integration of information and communication technologies (ICT) within dedicated services (hospitals, medical devices, telehealth (3). It covers a broad spectrum that is broken down into several practices aimed at improving citizens’ health. e-Health technologies thus facilitate access to care and enable patients to receive personalised care and, more generally, better prevention of medical care.

    First, e-health responds to increased demand from patients, staff and hospital administrations for better adaptation to new needs. e-Health or digital health therefore offers new capabilities to traditional health and allows a better “efficiency of care in controlling health expenditure by addressing the challenges of personal data confidentiality, management of the deployment of technical solutions to cover the entire population, a switch to digital current health services and remote patient monitoring(4).

   The term e-health therefore corresponds more to the use of Internet of Things equipment for health services and devices, while telehealth includes, among other things, telemedicine and m-health (mobile-health). M-health refers to access to health via a smartphone and by extension, via connected devices or wearable sensors. These devices can be used to measure physiological data or the user’s physical activity. M-health is the most well-known field of connected health, because it is the one used by the public. E-Health also plays a major role in health information systems (HIS) or hospital information systems (HIS). These services organize and ensure the exchange of information between services within the same hospital and between doctors and patients. These HIS or HIS are more vulnerable because sensitive patient data is transmitted through them. 

1.2 –  Overview of connected solutions (e-health, radiographs, pacemakers, etc.) 

    Information and communication technologies are used to improve the quality of health care and IoT equipment and its application. Although connected health is a new phenomenon that affects a sensitive field, it makes it possible to make it hyper-connected and more efficient through more efficient biomedical devices connected remotely; but also to digitize the back offices of health centers in the same way as large administrations. In the medical world, connected health devices are multiplying and playing an increasingly important role. These devices store sensitive health information about the patient’s activities and prescriptions.

Connected health is a rapidly expanding field at all scales. According to a Xerfi study, globally, this market reached about 94 billion dollars in 2014(5). In addition, the French connected health market could reach 4 billion euros by 2020 . Today, the Internet of Health Objects market is mainly dominated by wearables (in 2015, connected medical objects represented 60% of the portable connected objects market(6). This fast-growing market will reach $5.8 billion in 2019(7). Wearables are diverse and are related to real-time patient (or user) monitoring. Whether developed by pharmaceutical industries, science researchers or Internet giants, wearables are promulgated by health professionals and included in the patient/physician loop.

Many connected health solutions, however revolutionary, are already on the market or at least in progress. The following panel of solutions shows their diversity and originality:

  • The Connected Dressing: Researchers at Tufts University (Boston) recently presented a prototype of a connected dressing to make chronic wound management more effective. This connected bandage is intended for wounds that are poorly or too slowly absorbed after several weeks. It is directly connected to the control module that communicates via Bluetooth with the doctor.
  • The bihormonal bionic pancreas: This object connected and connected to a smartphone, allows to measure the blood sugar level every 5 minutes with a first box. When the user is hypoglycemic, the other box sends a hyperglycemic hormone.
  • The bracelet destroying cancer cells: Google has developed a connected bracelet to destroy cancer cells. The patient will ingest nanoparticles beforehand, which will cling to the cancer cells found in the patient’s body and emit light. These nanoparticles will thus reach the wrist thanks to a specific magnet located in the connected bracelet.

1.3 – Developments in the sector (prospective until 2030)

      e-Health is already undergoing major transformations. The integration of the Internet of Things in the health sector introduces many opportunities, including the so-called “Quantified Self”, the collection and exchange of biometric data via connected sensors (8). According to a study on connected objects in health, in 2019, “87% of health centres or hospitals will adopt the Internet of Things technologies and 76% of practitioners believe that IoT will profoundly transform the health industry(9). In particular, Health 3.0 presents a new model of medicine that is more effective and personalized and serves all health services and processes.

Artificial Intelligence in e-health will also play an increasingly important role in predictive medicine, precision medicine, decision support, companion robots, computer-assisted surgery and prevention. These application criteria highlight the multiple uses of robots in health. This is already the case for the European project Desiree, which integrates AI for the treatment of breast cancer. The Desiree platform “uses a symbolic approach to help clinicians in the treatment and follow-up of breast cancer patients(10). Desiree therefore integrates the recommendations of good practice by implementing a reasoning based on an ontology. From a large database and solved cases, the system can help in the therapeutic management of patients.

Part 2. The risks of connecting medical devices

    As medical devices and technology become more and more sophisticated, safety becomes more and more important. The attacks that followed WannaCry in May 2017 highlighted the vulnerability of hospital systems to cybercrime. But what was not reported was that a number of key medical devices were also vulnerable to attack. In 2017, the US Department of Health recalled 465,000 pacemakers so that they could be updated. The risks of piracy include premature battery wear and accelerated heartbeat. As devices connect, generate and store more clinical and patient data, they offer both an attractive resource for potential hackers and extend the attack surface of the increasingly connected health ecosystem.

2.1 – Connected medical objects, new Trojan horse 2.0

    64% of French people would like connected objects to be further developed in the health field (11). However, these technologies are far from reliable. While hackings of connected medical devices are carried out by security researchers or within television series (Homeland Season 2), several studies demonstrate the ease with which a criminal could disconnect a connected medical device. We remember former Vice-President Dick Cheney, whose wireless defibrillator functions had been disabled by his cardiologist (12). The risk of a terrorist cyber attack had been assessed as too high….

    In the hospital sector, any connected medical device, MRI scanners, infusion pumps, X-ray equipment and many other electronic devices pose a health threat. Two security researchers, Scott Erven and Mark Collao, conducted research on medical devices connected to the Internet on Shodan (13). This not only poses a significant risk to confidentiality, as patient data can be stolen, but also poses a security threat, for example if it is possible to change the settings used.

These medjack, (term proposed by the security firm TrapX Security), in other words attacks against connected medical devices, could increase in the coming years. Medjack quickly penetrates connected devices to take control of them and extract thousands of personal data (14). Here are some examples of connected devices most vulnerable to cyber attacks:

Pacemakers

WhiteScole, a safety research company, conducted a safety assessment of cardiac devices and home monitoring devices from four major healthcare manufacturers. In peacemaking mechanisms alone, they have discovered 8,000 vulnerabilities (15). One of the main reasons why pacemakers and similar devices contain so many vulnerabilities is mainly due to the fact that many suppliers purchase third-party components for their software or hardware.

Implanted defibrillators

In addition to pacemakers, implanted defibrillators also have security holes. Used to monitor the electrical activity of the heart, they are important for detecting dangerous rhythms and delivering shocks. They can be monitored by radio transmitters. If a hacker is able to compromise radio transmissions via the communication protocol for example, it is only a matter of time before he takes complete control of the device, where he can even be reprogrammed. This could be disastrous if a hacker manages to reset the defibrillator clock and prevent the device from reacting to cardiac/arrhythmic actions (16).

2.2 – Case study: vulnerabilities discovered in an insulin pump

   The OneTouch insulin pump designed by Animas, a company of the American pharmaceutical group Johnson & Johnson, includes two devices: the pump itself, which provides insulin doses to the diabetic patient, and the remote glucose meter. The two devices communicate with each other by radio frequency in the 900MHz band, allowing the pump functions to be controlled up to 3 metres apart. This is complemented by an online data management tool (17). The One Touch Insulin Pump is a very popular medical device commonly used by patients with diabetes. It allows patients to administer their own insulin dose (18). Multiple vulnerabilities have been discovered:

Unquantified data

This device is wirelessly connected to a remote control and communication between the two devices is not encrypted. Indeed, the OneTouch insulin pump system sends data in clear text via a proprietary communication protocol.

Low pairing between remote control and pump

When the pump is installed, it must be paired with its remote control. This prevents the pump from intercepting instructions from other remote controls that it may accidentally retrieve during transmissions. The pairing process is done via an exchange of 5 unencrypted packets where the two devices exchange serial numbers. The 5 packets are identical each time the pairing process is performed between the remote control and the insulin pump.

Lack of prevention of attacks by replay of transmission.

The communication between the pump and the remote control has no sequence number or other forms of defense against replay attacks. For this reason, attackers can capture transmissions remotely and replay them later to administer a dose of insulin without special knowledge, which can potentially cause a hypoglycemic reaction.

Three CVE identifiers have been assigned to these three vulnerabilities. CVE-2016-5084 describes the vulnerability regarding unquantified data, CVE-2016-5085 the poor pairing between the remote control and the pump, and CVE-2016-5096 the lack of prevention of transmission repetition attacks.

    A remote attack could be fatal for the person with diabetes. Indeed, a too high dose would then lead to hypoglycemia. Nevertheless, the probability of an intrusion into the OneTouch Ping system is very low. The hacker would have to be within 800 metres of the patient and have some technical expertise to modify the data (19). Of the 114,000 patients equipped with this device, none have suffered collateral damage as a result of the exploitation of one of the vulnerabilities according to Johnson & Johnson (20).

2.3 – Health data, the new black gold of hackers

    Personal health information is a potentially rich target for those with criminal intentions. They often contain not only personal identity details, but also, in many cases, financial information. Not only would criminals be able to obtain simple identity or financial information, but they may also be able to collect details about specific medical conditions that can be used to commit insurance fraud. In addition, some hospitals do not have a clear idea of the exact number of devices of this type at their disposal, and this lack of visibility is compounded by variable purchasing and networking controls. Many of these devices were never originally designed to be online.

In recent years, hospitals have been victims of ransomwares. Criminals encrypt the computer data of health care facilities and decrypt it for a certain amount of money. In France, in March 2015, the medical biology laboratory Labio was the victim of a hacking of 40,000 identifiers and hundreds of medical check-ups. In the United States, 14.7 million people were affected by personal data breaches in 2011 and 2012 (21). Finally, a few years ago, French and British hospitals were affected by malicious code (Conficker virus). Some 8,000 computers had been infected in these hospital departments.

In addition to financial motivations, criminals, including terrorists, could launch cyber attacks for lethal purposes. Taking control of a medical device implanted directly into the body could have terrible consequences for the patient’s health: pain related to the dysfunction of the device, loss of consciousness, death. The lack of security in hospitals suggests that disaster scenarios could be considered…

Part 3 – Recommendations

   According to Philippe Loudenot, FSSI (Information Systems Security Officer) of Social Affairs, Health and Women’s Rights, “security is not a problem of resources but of governance, skills and ownership“. Indeed, many vulnerabilities stem from a lack of training and information for staff, but also for designers of connected objects. Thus, several recommendations can be made to improve safety and stakeholder awareness.

3.1 – Enhancing product safety throughout its life cycle

Design phase. Manufacturers must quickly take into account safety aspects. For example, they can use defence-in-depth, which means that all scenarios must be analysed. They should separate security functions from other functions and consider audits by third-party security specialists. Manufacturers should also identify personal data, implement transparency measures, design the product or service with a legitimate purpose, define access control, anonymity and non-traceability measures in order to strengthen the protection of personal data.

Testing phase. The correct behaviour of the product must be tested in relation to its specifications. Tests should not only focus on normal behaviour, but also cover a wide range of errors and ensure robust fault tolerance. It is therefore necessary to test the conformity of security functions, carry out additional security checks and penetration tests to ensure that private data is properly handled, in particular with regard to European regulations.

Operating phase. The connected health device can be connected to several networks. In the event of an attack on the device or a programming error affecting the network, certain separation rules must be followed in order to limit propagation to other networks. Hospitals need to carry out regular cybersecurity audit checks, which could be carried out in the form of penetration tests. They should also conduct vulnerability surveys and regularly check security assumptions over the life of the product, and protect the software update mechanism.

Final phase. Manufacturers should provide a service for the backup and/or secure erasure of data stored or used by the device during use and at the end of the product’s life. Vendors should not only proactively conduct investigations to discover new vulnerabilities, but also provide a secure and reliable mechanism for updating the device to allow vulnerabilities to be fixed.

3.2 – Software and hardware security

   Network supervision. In health care facilities, computers are often used by several people, in self-service, without supervision or password. It only takes a moment of inadvertence to insert a USB key and install malware to remotely control the computer. So it is very easy to surf the internal network of a hospital. Hospitals should pay more attention to the security of their network and ensure that no critical infrastructure equipment is connected to a public network.

Use technology capable of identifying malware and persistent attacks that have already bypassed the primary defenses of the hospital’s IT security system, and/or report IT attacks (including to ANSSI) to appropriate agencies. Collaboration with an integrated security service provider (ISSP) for small hospitals or clinics to manage these security challenges (malware, failure of connected equipment, remote control of a device by a hacker) also seems to be a good option.

Use encryption techniques. Encourage medical device suppliers who use techniques such as digitally signed software and encrypt all internal data with passwords that you can change and reset. Software signature is a mathematical technique used to validate the authenticity of the software. This technique helps prevent the execution of unauthorized code.

3.3 – Raise awareness among health professionals and patients and strengthen collaboration between manufacturers

   Record any criminal event. Healthcare facilities should prepare for major data theft with the development of connected objects. It is recommended to log security events (and make logs inaccessible to unauthorized users) and make notifications easy to understand in order to help users find a solution, in accordance with Article 22 of the Military Programming Law on the Protection of Vital Operators, of which hospitals are a part.

Take training courses on cybersecurity. In addition to data security, the challenge is also to educate staff on IT security. This includes not clicking on suspicious links, choosing complex passwords and updating antivirus software. Precautions that must become reflexes so that this sensitive information does not fall into the wrong hands. For example, at the end of 2013, the Ministry of Health deployed a General Health Information Systems Security Policy (PGSSI-S). Still little known to the professionals it targets, this strategy aims to improve practices to combat cyber threats(22).

Cooperation between designers of connected products is crucial: to effectively address the lack of security of connected objects, manufacturers should meet in forums, exhibitions, foundations, etc. Manufacturers should continue to improve their communications with each other. The Industrial Internet Consortium (IIC), formed by Intel, IBM, Cisco, Cisco, AT&T, and Microsoft, is an example of how industry collaboration can help unlock business value while enhancing security.

Conclusion

    Health no longer concerns only professionals and practitioners. With the advent of e-health, patients and users are becoming actors in their own health. Health is more accessible and more personalized. Requiring real major and vital challenges, Internet giants and technology multinationals such as Microsoft, have also turned to this sector, boasting IoT solutions to transform it technologically. By integrating information and communication technologies (ICT), the various health services (health and medico-social, hospital and ambulatory, medical and paramedical sectors) have been decompartmentalized and optimized to serve as a lever for local health.

The medical context has changed considerably in recent years, highlighting the need to evolve in terms of medical practices. The arrival of connected equipment in the health sector appeared to be the solution combining the efficiency of the care provided and the control of health expenditure. Connected Health Object Internet solutions improve processes and patient care. These multiple solutions have considerably shortened the exchange process between patients and practitioners. Finally, the collection and use of health data has significantly improved disease prevention.

   The ever-increasing number of connected health objects reflects the inevitable digital transformation of health. Beyond this digital transformation, the IoT is changing the fundamentals of medicine and we can define e-health through four main axes: “the 4Ps of medicine”. Medicine will be predictive, personalized, preventive and participatory. 4P medicine will therefore improve prevention for patients and reduce risks. However, in the era of the DGMP, the lack of interconnections and data security issues could represent a barrier to the development and diffusion of connected health. The computer systems of hospitals and health centres still lack interconnections and exchanges, which could explain the fragmented sharing of patient information. The multiple compromises by ransomware or malware that have affected some hospitals in recent years make professionals and practitioners reluctant to secure IoT networks and its use.

Even if no deadly cyber attacks have been carried out, hacking into connected health objects could lead to lethal purposes. Scenarios of attacks against connected medical equipment attest to this situation. By accessing a hospital’s data servers, a hacker could voluntarily modify the patient’s doses to be administered and inject a sufficiently lethal dose. By their nature, the connected solutions represent a definite risk and highlight security needs that are more than essential.

(1)https://www.grandviewresearch.com/industry-analysis/internet-of-things-iot-healthcare-market
(2)https://www.xerfi.com/presentationetude/E-sante-:-le-marche-de-la-medecine-connectee-perspectives-a-l-horizon-2025_7CHE45
(3) http://www.irdes.fr/documentation/syntheses/e-sante.pdf
(4) http://www.irdes.fr/documentation/syntheses/e-sante.pdf
(5) Xerfi Group, « E-santé : le marché de la médecine connectée perspectives à l’horizon 2025 ».
(6)https://experiences.microsoft.fr/business/intelligence-artificielle-ia-business/sante-connectee-chiffres/
(7) https://www.journalducm.com/sante-connectee-e-sante/
(8)https://ecs-digital.com/actus-2-0/le-sante-cap-vers-lavenir-avec-les-objets-connectes/
(9)https://www.i-scoop.eu/internet-of-things-guide/internet-things-healthcare/
(10)https://www.inserm.fr/information-en-sante/dossiers-information/intelligence-artificielle-et-sante
(11) http://leplus.nouvelobs.com/contribution/1352727-objets-connectes-et-sante-les-donnees-personnelles-des-patients-naviguent-c-est-risque.html
(12)http://www.slate.fr/monde/79128/dick-cheney-simulateur-cardiaque-hack-homeland
(13) https://www.computerworld.com/article/2987737/security/thousands-of-medical-devices-are-vulnerable-to-hacking-security-researchers-say.html
(14) TRAPX Security, Anatomy of an attack, publié en mai 2015, 39 pages
(15) https://www.rt.com/viral/390008-hacking-pacemakers-vulnerabilities-security/
(16)https://arstechnica.com/science/2008/03/hacking-implanted-defibrillators-shockingly-easy/
(17) https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
(18) https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
(19)http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L
(20) http://www.theregister.co.uk/2016/10/05/animas_diabetes_pump_flaw/
(21)https://www.liberation.fr/planete/2015/06/05/etats-unis-piratage-de-donnees-de-4-millions-d-employes-federaux-la-chine-soupconnee_1323401
(22)https://www.pourquoidocteur.fr/Articles/Question-d-actu/12565-Cyberattaques-les-etablissements-de-sante-tentent-de-se-proteger