4 IoT Medical Devices That Are Vulnerable to Hacks

connected healthcare technologies

By Ludovic F. Rembert, Head of Research at Privacy Canada.

The Internet of Things (IoT) has made it easier for point-of-care centers to track and analyze sensitive medical data for their patients. But with so much confidential data transmitting to and from physicians, it’s crucial that IoT medical devices use safe communication protocols that encrypt their data.

Unfortunately, many IoT medical devices have major security vulnerabilities, which put patient data at too much risk and can make it harder for healthcare professionals to rely on them in the future. What’s more, many IoT devices rely on a limited pool of computing resources, which makes it tough to create solutions that can keep their data encrypted on wireless networks.

To better understand the security vulnerabilities that IoT medical devices face, it’s important to know exactly which products are most at risk of being hacked. In this article, we will cover the four IoT medical devices that are most susceptible to cybersecurity breaches and how to protect them.

1 – Wireless Infusion Pumps

Wireless infusion pumps, as the name may suggest, remove the need for physicians to give their patients vital medical fluids in-person. Instead, these IoT devices can talk with a patient’s electronic health records to speed up fluid infusions and cut down on healthcare costs.

However, the wireless connection protocols that these pumps use can provide low-hanging fruit for cybercriminals to pluck. Wireless infusion pumps, just like a tablet or home computer, need to be hooked up to a network to take in data from a server and send it back out to receiving devices, which makes them vulnerable to malicious software that finds its way onto a wireless network.

Protecting IoT data on the cloud can help point-of-care centers avoid threats on an unencrypted physical network. This is because cloud storage services such as Google Drive or DropBox offer a reduced number of entry points that hackers can use to gain access to a network and compromise IoT devices.

Furthermore, medical organizations can use Google Drive and Dropbox for storing files that contain protected patient information while maintaining HIPAA compliance, so long as a business associate agreement (BAA) is signed with either service.

2 – Implanted Devices

Implanted devices, like the ones that track your body’s cardiovascular functions, wirelessly transfer patient data to expedite the healthcare they receive. However, a faster rate of data transfer doesn’t mean much if it compromises a patient’s confidentiality and puts their health at risk. Hackers who remotely access implanted medical devices can wreak havoc on their functionality and subsequently endanger patients’ lives.

The biggest security issue with implantable devices lies in the way they communicate with each other. Wireless communication systems, like Medtronic’s Conexus protocol, often fail to stop data breaches because they don’t include an incident response plan. Fortunately, in early 2020 Medtronic released patches for security flaws for its devices that had been disclosed in the prior two years.

While this can offer a little assurance, the simple fact remains that these kinds of devices still freely transmit wireless information without authenticating or encrypting it, and they have no Plan B in place in the event that hackers intercept their data. It’s no surprise, then, that implantable devices can be exploited by cyber breaches such as DDoS attacks.

3 – Smartpens

Smartpens are a godsend to physicians who need to quickly access a complete snapshot of their patient’s medical background. These small IoT devices can store and quickly transmit massive amounts of sensitive data to pharmacies and point-of-care centers. It certainly sounds convenient for both patients and doctors, but much of their information is at risk of being compromised.

Smartpens, like implanted devices, expose themselves to cybercriminals with gaping backdoors that can be opened via their network communication protocols. Instead of safely accessing medical records by installing protective software, smart pens often rely on servers directly connected to the internet to store and access sensitive data. Once a hacker exploits these communication protocols, there’s not much left standing in the way between them and a server filled to the brim with confidential patient records.

4 – Vital signs monitors

The IoT makes it possible to remotely monitor a patient’s vital signs using Bluetooth technology and allows doctors to rapidly respond to changes in a patient’s vitals, but it comes at the cost of low-quality encryption methods. This is why as an additional option to relying on the cloud to store patient data, healthcare companies should investigate alternative encryption protocols that target low-power IoT devices.

One solution is for medical companies to make it a policy to always use virtual private networks (VPNs) that come with proven encryption protocols like IKEv2 or L2TP/IPSec when connecting IoT devices to the organization’s network. Using a VPN will hide the IoT devices’ IP addresses and ensure that company and patient data transmitted over the network are kept untraceable.

In any case, encryption protocols need to start compensating for vital signs monitors’ limited pool of computing resources by becoming more sophisticated. Right now, too few encryption protocols for IoT vital monitors sacrifice their quality by being low-power solutions themselves.

Conclusion

It’s crucial for IT teams and cybersecurity personnel working for healthcare companies to know what medical devices powered by IoT are most at risk of hacking and cyber-attacks. A complete understanding of how data assets become vulnerable can help medical organizations figure out how to protect them. This becomes truer than ever as more IoT medical devices are being developed and deployed to hospitals, health clinics, and even patients’ own homes.

Healthcare businesses can give their IT departments a head start in the near future by combining a monitoring view of their active IoT medical devices with the rest of their security initiatives. Right now, the solutions to gain broader visibility into each IoT device that is online are limited. However, creating strategies to discover and detect security threats that integrate with IoT medical devices can safeguard sensitive medical data and protect vulnerable patients.

Related posts