Security Sidebar: Internet Connected Health Care
This edition of "security sidebar" will explore the healthcare industry's increasing reliance on Internet connected devices and how that might affect your personal health in the near future.
Internet connected medical devices can provide genuinely beneficial results for many people. These devices can transmit vital sign data, monitor heart rate and blood pressure, record glucose levels, check on ultrasound results...the list goes on and on. Fitness bands also capture health statistics on patients and transmit the data to remote computers and servers. And it doesn't stop with medical devices and fitness bands. One company has embedded Internet connected, motion-detecting sensors in pill boxes to see if patients are taking their pills on a regular basis. Needless to say, the number of Internet connected medical devices is on the rise.
Health insurance companies are promoting these devices to help with early diagnosis of problems in patients. Doctors are also using them to track and monitor their patients. The primary goal is to identify problems early so as to minimize costs and inefficiencies in the healthcare system. Wait, there are inefficiencies in the healthcare system...what?!?
Even though these devices were designed to fulfill a good and worthwhile purpose, the less-than-honorable among us see this as a gold mine for hacker activity. Studies have confirmed what we already know: the health care industry is a huge target for hackers. Last year, the health care industry suffered more cyber attacks than any other industry in the United States. A quick Shodan search reveals many Internet-connected medical devices that are ripe for attack. In addition to medical devices, medical records can fetch a pretty penny on the black market, and rightfully so. You can do a lot more with a person's medical records than you can with a shopping rewards card from a retail store. And, while you're in the hacking mood, why not take ownership of the pacemaker implanted in that heart patient down the street?
Of course, many organizations are working hard to prevent these attacks. In the United States, the Food and Drug Administration (FDA) receives several hundred thousand medical device reports each year from suspected device-associated deaths and serious injuries. Many of these devices are Internet-connected. Last June, the FDA issued a safety memo to all medical device manufacturers, hospitals, biomedical engineers, and other healthcare professionals. This memo recommended that all manufacturers and health care facilities take steps to assure appropriate safeguards in the event of a cyber attack. These companies are certainly working hard to ensure safeguards are in place for their devices. But the reality is that most of these medical device manufacturers use "off the shelf" software, so their devices are only as protected as the commercial software running them.
The health care industry is overwhelmed right now. In the midst of massive legislation changes and significant pressure to reduce cost and improve patient care, this industry has little to no time or energy to spend on cyber security. With the push to make electronic personal health records and Internet connected medical devices the norm, be sure you stay informed on the security implications of health care industry decisions and movements. I'm not saying don't use an Internet connected medical device; I'm saying be informed when you do.