IoT security warning: Cyber attacks on medical devices could put patients at risk

  • January 14, 2019

Poor cybersecurity in Internet of Things (IoT) connected medical devices potentially poses risks to the well-being of patients and the infrastructure which keeps hospitals running.

The Royal Academy of Engineering worked alongside the Petras Internet of Things research hub to produce a report on the IoT, cyber safety and reliance - and the message is more work needs to be done to improve the security of connected systems.

While noting how connected and implanted medical devices including cardiac pacemakers, drug administration devices and monitoring devices, as well as infusion pumps, defibrillators, glucometers and blood pressure measurement devices can help patient care, the Cyber safety and resilience report also notes the connectivity inherent in these devices also bring risks.

Cyber attacks on connected devices could therefore result in "severe consequences on patient safety" which could even result in injury or worse.

See also: What is the IoT? Everything you need to know about the Internet of Things right now

The risk of cyber attacks against hospitals and the disruption which can be caused to medical systems and devices by cyber criminals was demonstrated by last year's WannaCry ransomware attack, which took some hospital IT systems down for weeks.

However, it isn't just malicious attacks and hacking of connected devices which could risk patient safety, events such as natural disasters or failure of components or even critical infrastructure could result in damage being done.

Italy's Open Fiber Launches 200G Elastic OTN Working With Huawei
Italy lays a solid foundation for their National Broadband strategy with its new "Zion" network.
Sponsored by Huawei 
The Royal Academy of Engineering notes there's "no silver bullet for improving cybersecurity and resilience" but warns that the issue requires the government, industry, system operators and the engineering profession to come together and cooperate in order to boost IoT security.

Products must be built to be as resilient to attacks as possible, or that in the case that they do end up offline, must be able to be restored as quickly as possible, the report warns.

In order to improve the cyber security of IoT devices, The Royal Academy of Engineering has followed a government recommendation that the products must be built to be ''secure by default' and recommends a number of measures to ensure this is the case.

They include mandatory risk management procedures for critical infrastructure which set out guiding principles for cyber risk management during design, operation and maintenance, along with policies for increased transparency in supply chains to improve the level of cyber security in products and services.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

Other recommended measures include how the UK government should work with other governments, international institutions and IoT product manufacturers in order to detail umbrella agreements that set out global specifics for integrity and security of IoT devices.

It's also noted that this should be done alongside ethical frameworks in order to ensue IoT devices are built with the minimal risk to society.

"The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends," said Professor Nick Jennings, lead author of the report.

"We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly."

In addition to recommendations about building security into connected devices, The Royal Academy of Engineering also suggests that the government must invest in helping the wider public to understand the complexities of IoT devices.

"It is vital that we improve the level of technical and data literacy and skills to enable the public to become involved in reinforcing security in data and the Internet of Things," Professor Rachel Cooper, adoption and acceptability theme lead at the Petras IoT Research Hub.

"Ethical development of these emerging technologies is a collective responsibility for the whole of society, not just for those who are developing them," she added.

A number of initiatives have been launched around the world in an effort to make IoT devices more secure, including by the UK government, the European Union, and the US government.