EBME Forums Forums Management Medical Equipment Management Protecting medical devices from cyber attack

If a Hospital buys medical equipment, they know that they have to manage the security and privacy of their patients, and therefore build defences to protect their networks, but what about the equipment itself?

How secure is our medical equipment, especially bluetooth enabled devices?
What are suppliers doing to stop devices becoming an inadvert 'back door' to private and confidential information?
Even worse, is the security sufficient to stop tampering with device settings?

Never mind cyber attack ... what about passwords (as well as pump access codes) being left scribbled on Post-it notes?

But think positive, John ... it's just another justification for maintaining in-house tech support, and the time-honoured tradition of having senior biomeds stride around their domain (hopefully with their eyes open) once every day or so.

Really?

The FDA (amongst others) would disagree...
https://nakedsecurity.sophos.com/20...implants-can-be-hacked-fda-issues-alert/

Presumably the FDA were the ones who allowed those devices to be marketed in the first place.

There's not much the front-line biomed can do about stuff like that.

Meanwhile, I have always cautioned against the Great Rush Forward to embrace whatever wuss-o-rama new technology is the current flavour of the month. Techniques used in medical equipment should be solid (well engineered, proven and resilient). After all, we are dealing with people's well-being (and sometimes their lives) - not the latest iPhone updates, or ticking "Likes" on social media.


Organisations like the FDA are meant to be protecting us from such idiocy.

However - we can (and should) always be on the look-out for security breaches "nearer to home", of the type I have mentioned.

Hi - Have you seen this?

https://assets.publishing.service.g...nce_and_Technology_Strategy_FINALpdf.pdf

Interesting document Ian,

I note the state: Connected medical devices present a great opportunity. By eliminating the need for manual
data entry, potential benefits include faster and more frequent data updates, diminished human error, and improved workflow efficiency.

I was speaking to an IT security expert who told me that it is not 'science fiction' for a connected medical device to be accessed from outside the hospital and adjusted remotely to harm or potentially kill patients, because the IT security on medical equipment is so poor.

Geoff, can't beat having feet on the ground, but younger biomeds (not us!!) need to understand this cyber stuff too.

Yes; but why would anyone ever want to go to such lengths?

Meanwhile, did this "expert" offer up any clues or suggestions about how such a scenario could be remedied?

More "tin-foil" required?

Feet on the ground ... and head in "The Cloud".

Be alert ... biomed needs Lerts.

Hi. interesting to note your comments about younger biomes. You may have seen my recent request for any old CF devices - for the B/MEng course in Biomedical Eng at Birmingham City Uni. I think I will suggest they explore having a lecture in cyber comms basics to understand IP addressing and the ISO model etc.

There was a great talk at the EBME Conf. at Silverstone 2 years ago about cyber attacks - the speaker showed a toy doll which had internet capabilities that could be hacked!

Siemens came to the rescue for my call for an old contrast injector - really helpful and generous

I am hoping to have an IT expert speak at the 2020 EBME Expo on cyber security for medical equipment.

Geoff,
I agree, why would anyone do such a thing as hack into medical equipment?
Potentially:
Just for fun;
To get the NHS to pay a ransom...(been done before);
To harm or kill someone (potentially an ex-russian spy? perhaps being treated in an NHS hospital for nerve agent poisoning??)
Terrorism;
etc...etc.
Who knows, but the security of a piece of medical equipment should be equivalent to other industry sectors (Aircraft, motor vehicles...), and it is not there yet.

Ah; not a very high bar, then.

Potentially at least, any "device" that passes or accepts radio transmissions can be open to interference "by others". As you know John, military communications go to great (and expensive) lengths to make radio transmissions secure (channel hopping, sending in short bursts, and what-have-you); and even then they don't always succeed.

Similarly, anything connected to networks, especially "open" networks such as the internet, can't help but be vulnerable to "attack" (just as computers connected to the internet are).

Cellphone ("mobile phone") transmissions can be intercepted (listened to) by "certain agencies", so I expect they can also be corrupted (interfered with) - and certainly shut down.

For me the bottom line is:- why should medical equipment be "connected" at all?

Yes, I understand the advantages - a physician being able to keep an eye on patient parameters via a Smartphone, and so forth - but I believe that (more) serious consideration should be given to:-

1) Whether the advantages outweigh the risks
2) Having equipment transmit data only (and not receive)
3) If "receive" is a "must" - only allow it over closed (internal, hospital) networks

OK John, there's your synopsis, right there.