The internet of vulnerable things
11 April 2016
Rob Phillips explains how medical cyber crime is on the rise, with thousands of critical medical devices being tracked online and hacked directly.
Every year in Louisville, Kentucky, hackers and security experts gather for DerbyCon. While a get-together of hackers may sound troubling on its own, what’s truly disturbing is what came out of last year’s conference. Medical cyber crime is on the rise, and there are thousands of critical medical devices which can currently be located online and hacked directly.
This is alarming for two reasons. First, these accessible and vulnerable medical devices are often of a critical nature, such as MRI scanners and defibrillators. Second, the number of vulnerable systems revealed at DerbyCon totalled around 68,000. As terrifying as that sounds, it’s apparently just a drop in the ocean because this figure isn’t a national or even a global figure. This was in just one healthcare organisation.
Hackers were able to locate these systems through an Internet of Things (IoT) search engine known as Shodan. It was here that security researchers created two “honey pots” – software designed to mimic critical medical devices – which were hacked into 55,416 times in the space of six months.
The rate of cyber attacks on medical devices is already high and the figures are only going to increase. As the medical technology (medtech) industry embraces IoT and increases the uptake of portable and wearable medical devices, more opportunities for cyber crime will present themselves.
With heightened attention and pressure on the medtech industry to exercise better cyber security, it’s important that the hardware itself doesn’t get forgotten. While reducing hacker accessibility to devices will help prevent unexpected and ultimately dangerous failures, there are other ways that medtech can be compromised.
Counterfeit components, for example, can lead to inconsistent and unreliable performance compared to genuine products. In the case of a portable defibrillator, for instance, a fake component that doesn’t meet regulatory standards could pose a serious risk to life.
The humble battery is one such component that is especially vulnerable to counterfeiting. Batteries used in medical devices have to meet such a high standard of regulation that using a cheap copycat can cause serious problems. Professional battery manufacturers design to meet regulation in order to assure quality and reliability, counterfeit manufacturers will not go to such lengths. Fakes may be visual replicas of professional batteries but things like circuitry will be completely different, without appropriate measures taken to protect against problems such as battery swelling or combustion.
Lithium-Ion (Li-Ion) batteries are commonly used both commercially and professionally due to their high energy density. However, as the cells of these batteries become volatile over time, manufacturing requirements vary market to market. For professional applications, protection circuits must be used to safeguard against over-charging, over-discharging and over-current.
To fight the fakes, Accutronics works closely with OEMs during initial design and manufacturing stages. By building advanced computer cryptography known as algorithmic security into the battery, the medical device is able to recognise the difference between a legitimate battery and a counterfeit. It works by assigning each battery a randomly generated 20 digit authorisation key that is permanently contained on an integrated circuit. The key corresponds to the host medical device and, when the battery is connected, the two perform a set calculation within 100ms.
A medtech OEM can then program the device to either present a pop-up alert when a counterfeit is detected, or to power down entirely.
While the figures may not be quite as staggering as medical cyber attacks, estimates by research organisation IHS show that over ten percent of all global supply chain electronics are counterfeits. As with cyber crime, this percentage is likely to increase as we venture deeper into the web of connectedness that is IoT. The more devices active in a network naturally means an increased likelihood of counterfeit components.
The future of medtech is reliant on bolstered security measures across both software and hardware to ensure that the two sides of the coin can work together harmoniously without risk. Security means more than just protecting your device from external saboteur; it is a promise of performance and reliability for your most vital asset - your patients.
Rob Phillips is sales and marketing director of Accutronics.
Contact Details and Archive...