been found in clinical monitors, too. In September 2020 DataBreachToday reported about several vulnerabilities in a Philips monitor.37 While the problems may be the equivalent of speaking a foreign language to some of you, the mitigations step should give a better idea about how bad these vulnerabilities are. Paraphrasing, they recommend that the device essentially be quarantined (from a network perspective) until it is patched. They also want the device to be physically blocked off to prevent unauthorized login attempts and only allow access on a must-have basis.38 The list is more extensive (and more technical as I am trying to save my non-technical audience), but the mitigation steps are non-trivial in many environments. Some hospitals have the equivalent of a flat network, which means the network is essentially wide open, and trying to block the devices is time-consuming from a network standpoint, but also from a physical standpoint. If a large manufacturer like Philips is making these kinds of mistakes, it is even more difficult for the smaller companies.
Websites
Part of the connected world is a need for instant access to data—especially when it comes to hospitals. The more up-to-date the information, the more valuable that information is. There are numerous ways of collecting that information, but quite often with IoMT, that information's repository is an EHR system. That means the mobile devices, which are quite often connected via cellular technology, will need a way to access the data from the internet. Websites are a common tool to collect that information—whether it is directly through the EHR or through an independent website. Websites have all the flaws that we have previously mentioned and tend to be dependent on hardware or the cloud, an operating system, and software development.
Putting the Pieces Together
Just like a car, the more parts there are in the system, the more things can break. Similarly, in the electronic world, each piece of the system adds complexity and more room for vulnerabilities. Not only can they break, but they may have unforeseen vulnerabilities. Since one or more of the systems identified in Figure 2-1 are part of the IoT ecosystem, they all can have potential issues. When considering the security of a hospital, this is a daunting and growing challenge.
Current IoMT Challenges
A few might argue that recent legislation may have solved the problems related to vulnerabilities found within connected medical devices. While improvements have been made, there are still enormous challenges related to securing these devices. Legacy systems pose tremendous risks for organizations. With IoMT devices providing more value, especially in the time of COVID-19, the problems are only going to grow over time.
Figure 2-1: The interconnection of IoMT technologies
On January 23, 2020, the FDA released a warning on GE Healthcare's Central Stations and Telemetry Servers—essentially medical equipment that monitors patients.39 Just the day before on January 22, 2020, GE posted the list of devices that are much broader. They listed six vulnerabilities that can allow an attacker to:
“Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or
Make certain changes to alarm settings on connected patient monitors, and/or
Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.” 40
In this case machines used to monitor blood pressure, heart rate, temperature, and patient status had a flaw that could allow a person to tamper with the devices and interfere with the standard operations of the device. Examples include, but are not limited to, creating false alarms and silencing alarms.
At the time of this writing, in 2020 alone, GE has had eight critical vulnerabilities released. These are easily explorable on their website, so I will not list each one. I can also look at a host of other competitors and show the disclosures they have on their website. The reality is that vulnerabilities are part and parcel of any type of system that has a programming component. If we expand the search beyond internet-connected devices into the realm of just devices, the problem is even greater. Connected medical devices just have extra considerations because they can be accessed remotely as part of a greater ecosystem, whereas before they were a disconnected box.
Some of this stems from the continuous software development process. IoMT manufacturers are continually making improvements and upgrades to their devices—even adding new features. If a device is certified at a specific point in time, even if it is perfectly secure, there is no guarantee that the device will be secure after one or more updates. Over a few years the original software can vary greatly—especially if you consider a life span that may be up to 15 years.
Another reality facing manufacturers is stiff competition. The timing of the release of a device (often any product) is absolutely critical. Security is a known way of slowing down the release of a product because it takes time and money to make sure that things are evaluated in a mature way—not to mention the resolution time to remediate any findings security assessments may find. If you are a CEO and are dealing with the pains of the market versus the pains around a device, sometimes a cost benefit analysis means things may not be perfect—especially if patches can fix the problems later. From an advertising perspective, sometimes the negative press is also seen as a positive—especially for non–life critical systems.
In Summary
All this said, as we have seen with Spectre and Meltdown in the previous chapter, vulnerabilities exist that nobody would have predicted. Even if a company is extremely diligent with its security, vulnerabilities can be found. They are inevitable even in the best of situations. That does not mean we should not strive for better. Too often, IoMT manufacturers use the excuse of ever-present vulnerabilities to not focus on the security of their products as much as they should. Again, this does not apply to every company, but unfortunately it applies to too many companies. As hospitals adopt IoMT technology in greater quantities, there will be a tipping point for security to become of greater importance than it currently is from a manufacturer's perspective.
In the end, both lives and data are important to protect. So far, we have been focusing on the technology. The data that comes out of that technology is also extremely important. The cost of a breach is heavily linked to the amount of data. All of these IoMT vulnerabilities inevitably lead to a loss of data. IoMT is causing a data explosion, and thus the risks for hospitals are greater than they ever have been—not just from IoMT devices, but also from the data they produce. We'll explore the data side of the equation in the next chapter.
Notes
1 1 Trevor Harwood, “Internet of Things (IoT) History: A closer look at who coined the term and the background evolution into today's trending topic.” November 12, 2019, https://www.postscapes.com/iot-history/.
2 2 Alison DeNisco Rayome,