The Internet of Things (IoT) is conquering the world of medical technology. According to a study by P&S Market Research, the IoT market in the healthcare sector will grow to be worth USD 267.6 billion by 2023. Underlying this growth, according to the market researchers, are demographic change and the associated increase in geriatric and chronic diseases such as diabetes, asthma and other lung diseases, and rheumatic problems. High-tech medicine is responding with technological innovations. With revenue in excess of EUR 29 billion, Germany was already a world leader among medical technology producers by 2016.
Innovations come in many forms: clothing with sensors woven in will monitor the wearer’s health in the future, e.g. the CardioSHIRT, which acts as a mobile ECG device. A six-channel ECG transmits cardiological data via Bluetooth to a Smartphone or similar devices. Other types of clothing are still in development, such as items that will monitor lung activity. At the centre of the latest medical technology developments is networking with Smartphones and the Cloud, to enable medical monitoring by remote. From pacemakers to insulin pumps – everything can be accessed via network connections.
And for hackers, it’s a field ripe for the picking. Attacks against these devices will deliver more than just data on health and the patients themselves: many components can not only be checked but also controlled by remote. This opportunity enables doctors, for example, to adjust electronic implants like pacemakers. But in extreme cases, these systems can also give attackers control over patients. Ransomware – in other words, software used to extort ransom payments – may take on a new dimension in the future: threats could soon take the form of “Pay now or we’ll switch you off”.
Of course, it isn’t quite that easy, since these devices can generally be accessed only from relatively close quarters. But it is conceivable that methods could still be found to turn these scenarios into reality. If the patient consults a doctor whose surgery computer has been hacked, for example. At that point, the path to the pacemaker is a lot shorter, especially if the physician is in the process of re-setting it. Malware could find its way into many IoT devices in medical practices and hospitals in this way.
As early as 2016, security problems affecting pacemakers and defibrillators were a cause of concern. A security loophole enabled hackers to install harmful software into mini-implants by the maker St. Jude (later Abbott), or to discharge the batteries. Although a software update fixed the problem, Frankfurter Allgemeine Zeitung estimated that about 450,000 pacemakers and 350,000 defibrillators were affected. As a security precaution, former US Vice-President Dick Cheney had the wireless capability of his pacemaker removed on the advice of his cardiologist some years previously, according to Spiegel Online.
In a separate article, we will discuss the technical background to attacks on medical IoT devices.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.