EBME Forums

Protecting medical devices from cyber attack

Posted By: John Sandham

Protecting medical devices from cyber attack - 08/07/19 11:15 AM

If a Hospital buys medical equipment, they know that they have to manage the security and privacy of their patients, and therefore build defences to protect their networks, but what about the equipment itself?

How secure is our medical equipment, especially bluetooth enabled devices?
What are suppliers doing to stop devices becoming an inadvert 'back door' to private and confidential information?
Even worse, is the security sufficient to stop tampering with device settings?
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 08/07/19 3:16 PM


Never mind cyber attack ... what about passwords (as well as pump access codes) being left scribbled on Post-it notes? think

But think positive, John ... it's just another justification for maintaining in-house tech support, and the time-honoured tradition of having senior biomeds stride around their domain (hopefully with their eyes open) once every day or so.
Posted By: Huw

Re: Protecting medical devices from cyber attack - 08/07/19 3:31 PM

Originally Posted by Geoff Hannis

Never mind cyber attack ...

Really?

The FDA (amongst others) would disagree...
https://nakedsecurity.sophos.com/20...implants-can-be-hacked-fda-issues-alert/
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 08/07/19 4:40 PM


Presumably the FDA were the ones who allowed those devices to be marketed in the first place.

There's not much the front-line biomed can do about stuff like that. frown

Meanwhile, I have always cautioned against the Great Rush Forward to embrace whatever wuss-o-rama new technology is the current flavour of the month. Techniques used in medical equipment should be solid (well engineered, proven and resilient). After all, we are dealing with people's well-being (and sometimes their lives) - not the latest iPhone updates, or ticking "Likes" on social media.

Quote

A decade or more ago, adding wireless capability to huge amount[s] of medical equipment looked like an easy win for convenience.

Unfortunately, security was low on the priority list and based on too many assumptions about likelihood and motive.


Organisations like the FDA are meant to be protecting us from such idiocy.

However - we can (and should) always be on the look-out for security breaches "nearer to home", of the type I have mentioned.
Posted By: Ian Chell

Re: Protecting medical devices from cyber attack - 11/07/19 8:08 PM

Hi - Have you seen this?

https://assets.publishing.service.g...nce_and_Technology_Strategy_FINALpdf.pdf
Posted By: John Sandham

Re: Protecting medical devices from cyber attack - 24/07/19 12:05 PM

Interesting document Ian,

I note the state: Connected medical devices present a great opportunity. By eliminating the need for manual
data entry, potential benefits include faster and more frequent data updates, diminished human error, and improved workflow efficiency.

I was speaking to an IT security expert who told me that it is not 'science fiction' for a connected medical device to be accessed from outside the hospital and adjusted remotely to harm or potentially kill patients, because the IT security on medical equipment is so poor.

Geoff, can't beat having feet on the ground, but younger biomeds (not us!!) need to understand this cyber stuff too.
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 24/07/19 1:25 PM


Yes; but why would anyone ever want to go to such lengths? think

Meanwhile, did this "expert" offer up any clues or suggestions about how such a scenario could be remedied?

More "tin-foil" required?

Feet on the ground ... and head in "The Cloud". smile

Be alert ... biomed needs Lerts.
Posted By: Ian Chell

Re: Protecting medical devices from cyber attack - 24/07/19 9:07 PM

Hi. interesting to note your comments about younger biomes. You may have seen my recent request for any old CF devices - for the B/MEng course in Biomedical Eng at Birmingham City Uni. I think I will suggest they explore having a lecture in cyber comms basics to understand IP addressing and the ISO model etc.

There was a great talk at the EBME Conf. at Silverstone 2 years ago about cyber attacks - the speaker showed a toy doll which had internet capabilities that could be hacked!

Siemens came to the rescue for my call for an old contrast injector - really helpful and generous
Posted By: John Sandham

Re: Protecting medical devices from cyber attack - 30/07/19 11:51 AM

I am hoping to have an IT expert speak at the 2020 EBME Expo on cyber security for medical equipment.

Geoff,
I agree, why would anyone do such a thing as hack into medical equipment?
Potentially:
Just for fun;
To get the NHS to pay a ransom...(been done before);
To harm or kill someone (potentially an ex-russian spy? perhaps being treated in an NHS hospital for nerve agent poisoning??)
Terrorism;
etc...etc.
Who knows, but the security of a piece of medical equipment should be equivalent to other industry sectors (Aircraft, motor vehicles...), and it is not there yet. shocked
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 30/07/19 12:09 PM


Ah; not a very high bar, then. frown

Potentially at least, any "device" that passes or accepts radio transmissions can be open to interference "by others". As you know John, military communications go to great (and expensive) lengths to make radio transmissions secure (channel hopping, sending in short bursts, and what-have-you); and even then they don't always succeed.

Similarly, anything connected to networks, especially "open" networks such as the internet, can't help but be vulnerable to "attack" (just as computers connected to the internet are).

Cellphone ("mobile phone") transmissions can be intercepted (listened to) by "certain agencies", so I expect they can also be corrupted (interfered with) - and certainly shut down.

For me the bottom line is:- why should medical equipment be "connected" at all? think

Yes, I understand the advantages - a physician being able to keep an eye on patient parameters via a Smartphone, and so forth - but I believe that (more) serious consideration should be given to:-

1) Whether the advantages outweigh the risks
2) Having equipment transmit data only (and not receive)
3) If "receive" is a "must" - only allow it over closed (internal, hospital) networks

OK John, there's your synopsis, right there. smile
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 30/07/19 12:13 PM


Originally Posted by John Sandham

To get the NHS to pay a ransom...(been done before)


If I remember rightly, that was a (poorly protected) complete hospital network, rather than an individual device.

In fact, was it not simply due to "sloppy drills" by staff ...clicking on links in unsolicited emails, sharing "non work related" data (spreading Trojans) over the network, and (or) by USB memory sticks?

Meanwhile, I look forward to hearing about any examples of a single medical device having been specifically targeted. smile
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 30/07/19 12:51 PM


For background information on standards for wireless medical devices, see the FDA ... not to mention the FCC.

Also, the ISM band ... more (from an interesting site). smile
Posted By: Geoff Hannis

Re: Protecting medical devices from cyber attack - 31/07/19 11:12 AM


Check out the top two of the Recent Downloads. smile

1) Pope
2) Carroll
© 2019 EBME Forums: Biomedical and Clinical Engineering Discussion Forums.