It’s three years since Davey Winder first warned about the growing security threat from the Internet of Medical Things. But in new research on digital imaging, our cybersecurity columnist sees evidence it’s an issue which is still not being taken seriously enough.
Three years ago, I made a pretty stark warning that the Internet of Medical Things was in danger of becoming the Android Market of healthcare hardware: “dangerously fragmented and, in the absence of any legislative incentive, dangerously apathetic to the risk it represents”.
I’m not seeing a great deal of movement that makes me think any different now, it must be said. A policy that addresses the specific challenges posed by securing the myriad connected medical devices is still nowhere to be seen. And those challenges are not only about data protection. Far more importantly, they’re about patient welfare.
You might think at this point I am using journalistic licence to create FUD (fear, uncertainty and doubt) but that really isn’t the intent; the risk to patient welfare is all too real.
Evidence of an all-too-real risk
If you still need convincing, then look no further than work by researchers at Ben-Gurion University in Israel. To highlight the level of risk that vulnerabilities in medical devices can pose, a team at the university’s Cyber Security Research Centre created a proof of concept malware exploit that allowed them to add, or delete, tumours from CT and MRI images before they are reviewed by a doctor.
With the permission of the hospital concerned, the researchers performed a penetration test to demonstrate the dangers that such an exploit represents. This wasn’t in an NHS hospital, or even in the UK, but what happened next should be enough to scare the bejesus out of anyone working in one.
The malware enabled the researchers to remotely manipulate some 70 lung scan images, either adding fake cancerous growths or removing actual ones. Three senior radiologists diagnosed cancer in 99% of the scans to which fake nodules and lesions were added. Perhaps even more shocking is that in those scans where actual growths had been removed, radiologists declared the ‘patient’ was healthy in 94% of cases.
Even when the malware manipulation was revealed to the radiologists, and they were told that half of a further 20 images had been manipulated, they were still fooled by most of them (60% for adding cancerous growths, 87% where they were removed). Screening software that is designed to help radiologists confirm a diagnosis fared even worse – it was fooled 100% of the time.
No shortage of threats
If all that wasn’t enough to convince that securing the Internet of Medical Devices is an issue that needs urgently addressing, how about I toss another threat bomb into the fire?
I recently had a conversation with Gilad Israeli, a cyber intelligence analyst at Sixgill. The company has a strapline of “Your eyes in the Dark Web”, which pretty much sums up the nature of our conversation.
By continuously monitoring the underground online forums and marketplaces that are the Dark Web, Sixgill has exposure to just how hot a topic healthcare is among the criminal fraternity. Analysis of thousands of threat actors’ chats and posts over the past three years has shown a consistent increase in vulnerabilities relating to medical devices.
Whenever a new vulnerability is reported the amount of chatter on the Dark Web peaks, and this creates a buoyant marketplace for selling exploits based around these.
For as long as medical devices remain in use that do not encrypt communications, that cannot be patched when a vulnerability is exposed, that do not take security seriously enough, then the risk to patient health will also remain.
At the start of April, Digital Health reported how security researchers were able to gain access to the entire database of patient images of an ultrasound machine as well as load ransomware onto it.
An NHS Digital spokeswoman said then that “we are working toward the recommendations made by the National Audit Office and Public Accounts Committee to help trusts and other NHS organisations to build resilience”.
But, I repeat, while the security conversation required is a complex one, it needs to be had with far more urgency. It’s three years since I wrote that column warning about the security of the Internet of Medical Things, and not much seems to have changed since.