People are living longer. Fact. An ageing population places a resource strain on the healthcare sector, and service delivery will suffer without increased investment. Fact.
Replace 'people' and 'population' with 'medical devices' and 'technology landscape' and that's a portrait of healthcare insecurity right there. Fact.
Old and expensive
According to Nuffield Trust estimates produced for the Guardian earlier this year, about two fifths of NHS spending in the UK is devoted to people over 65.
The older you are, the more you cost to treat: an 89 year old costs nine times more than a 50 year old according to Financial Times research and 18 times more than a 30 year old.
Unfortunately, there are no statistics I can find for the cost of using out-dated and insecure medical devices, nor for the cost of replacing them with new and more secure ones.
However, my gut instinct as someone who has been involved in IT security for more than two decades, is that we are fooling ourselves if we think that old age can be ignored.
White hacks on drug pumps
The most common argument that I hear against replacing equipment, especially kit that appears to fulfil the primary care-giving function adequately enough, is that there are more important demands on the NHS purse.
That may be true enough, but it does nothing to diminish the fact that old and non-upgradeable kit is weakening the security posture of the health sector.
I'm fed up to the back teeth of listening to vendors and purse-string holders alike tell me there's no problem because the risk of attack is low. What rot! Just because there's a low risk does not mean there's no risk.
And as any security researcher, or hacker for that matter, will tell you; a small crack can be levered wide-open soon enough. Take, by way of an example of the kind of old kit I'm talking about, drug pumps.
I have recently been in contact with Jay Radcliffe, the researcher at Rapid7 who uncovered the vulnerabilities in the Johnson & Johnson 'Animas OneTouch Ping' insulin pump that has been in the news this month.
That he discovered that a drug pump could be fiddled with by an external attacker – to the point of being able to change doses or stop them altogether – is bad enough. That Radcliffe, a diabetic, found similar vulnerabilities in another pump that he was using himself (a Medtronic device) back in 2011 is frankly outrageous.
Encrypt, accept, renew
There are three things these cases have in common, once you discount the obvious 'they are both drug pumps' connection.
The ability to tap into communications was made possible by a lack of encryption. Either courtesy of wireless connections to a computer, or radio frequency ones to a remote control.
It's almost as if the manufacturers of these devices were singing from the same hymn sheet: the risk of attack is very low, the attackers would need to be very close, have technical expertise and specialist equipment etc etc. See this statement from Animas for an example.
Radcliffe blows both the distance and specialist equipment arguments apart when he says that it's believed the attacks could be performed from one to two kilometres away, if not substantially further.
All that’s needed is sufficient elevation and off the shelf ham radio enthusiast transmission gear that is readily available online. As for technical expertise… funnily enough, most hackers possess this in spades.
They are both old machines. Encryption wasn't seen as an essential requirement when they were designed, most likely as it wasn't thought they were on any attacker’s radar. They were possibly right at the time, but times change and quickly.
Animas has said that users worried by the latest security revelations (assuming they ever get to hear about them as there has been no recall) could stop using the remote or limit the maximum dosage by reconfiguring the device.
Or, as Radcliffe suggests, they could disable the radio functionality by using the not so obvious menu options of Setup|Advanced|Meter/10 screen|RF=OFF.
IT gets old
When I wrote about this for SC Magazine, a trade publication for IT security professionals, I suggested that a culture of insecurity in healthcare could be to blame.
The volume of security insiders that have agreed with me would suggest I could be right. A number of them pointed to the age factor, with many of the devices which are proving to be insecure also being old.
Very old in fact. The pump at the centre of this latest security scare was designed in 2008. Radcliffe himself admits that such devices are built to be in use for a decade, or more.
And there's the real rub – that's a whole lot longer than just about any consumer device I can think of. Yet healthcare devices perform much more important, often life critical, functions that consumer devices don’t.
If anything should be replaced more often, it's this type of kit. Even if you cannot, for financial reasons, agree with that statement then let's at least agree they should be user updatable.
Hackers remain nimble
The problem, and I'm going to keep on saying it, is that old devices don't change quickly but threat models do. Software updates are one thing, ensuring they are rolled out and installed on every device quite another.
Over the air updates, if done correctly and securely, are an answer – but the irony is that they will only be available on the latest devices which have possibly been built with security as a consideration. I say possibly rather than probably, you will note, and that's because so many Internet of Things devices have not.
When I investigated the Internet of Medical Things for Digital Health back in May, I noted the opinion of Billy Rios.
This security researcher, who had successfully installed a game of Donkey Kong onto a device controlling radiation delivery to patients, reckons he's never walked away from investigating a medical device without finding at least one serious issue.
That may have been hyperbole (although given his status I doubt it) but even it if were, it does nothing to diminish the undeniable truth that the older the machine the harder it becomes to keep it secure.
Sure, new devices with new methods of connectivity may open up new routes to attack. However, older machines with no route to user updates can do nothing to mitigate vulnerabilities as they are discovered; and they will continue to be discovered…