Securing Medical Devices is a Matter of Life and Death

Written by

When a man arrived in the middle of the night at a North London hospital and was emotionally upset, distressed, with seizure-like movements and unable to speak, Isabel Straw, an NHS emergency doctor, first struggled to find the reason because all the tests her team performed on him did not reveal any issues.

That is until she realized the man had a brain stimulator implanted inside his head and its malfunctioning was probably the reason for his pain.

Straw, also the director of the non-profit bleepDigital, urged decision-makers at all levels to start investigating further the cybersecurity risks of medical devices, from the consumer ones through the implanted and ingested technologies.

“In the past 10 years, we’ve seen a lot of advances in these technologies, which has opened up new vulnerabilities,” she said during a presentation at UK Cyber Week, on April 4, 2023.

The Internet of medical things (IoMT), as all these devices have come to be called, is increasingly used in healthcare settings and at home, both outside and inside the body, and is ever more interconnected, and so the security threats the IoMT poses are becoming more concerning and can have a significant impact on patients’ health.

More Safeguards Needed for IoMT

The fear that these devices could start malfunctioning, or even get hacked, is real, and examples of cyber incidents involving IoMT devices are growing. As a result, there needs to be increased coordination between manufacturers and governments to implement more safeguards against security incidents and more capabilities to operate digital forensics, Straw said.

She also insisted that healthcare professionals should be trained on technical issues they could encounter with IoMT devices – and on as many models as possible.

“With the patient I mentioned, we had to go through his bag, where we found a remote control for the brain stimulator, which no doctor at the hospital knew about. So, I took a photo of it, did a reverse Google image search and found the manual online after a few hours. We realized the device was just desynchronized, but it took us 13 hours to find someone to reset it. If this happened again tomorrow, we would still not know how to treat him,” she explained.

“To this date, we still don’t know why it malfunctioned. Often, these medical devices don’t have the memory space or the ability for digital forensics,” she added.

What happens to IoMT After Death?

These devices can process increasing amounts of data, posing a security risk and data privacy concerns.

“Since 2013, the electrodes in brain stimulators have started to be able to read more data, on top of just delivering a voltage. This allowed us to get more data from the patient’s brain activity and read it externally, which can be used to personalize the data you’re analyzing to the patient’s disease. But streaming people’s brain data also brings a confidentiality issue,” Straw highlighted.

In that case, not only does the brain stimulator needs to be secure, but also the communication streams with the health center, the system the health professional is using, and the cloud servers as health professionals increasingly use cloud services to process and analyze data.

Another challenge is what to do when someone dies because of a medical device. “If this man had died, what would have happened with his device? Should we bury it with him, or dispose of it? Does it go to the general waste? And what do you mention on the death certificate? These questions are still unanswered, and we don’t get training on those issues,” Straw noted.

What’s hot on Infosecurity Magazine?