IoT security warning: Cyber-attacks on medical devices could put patients at risk

More collaboration is needed in order to ensure internet-connected medical devices can't cause harm to patients, says research.
Written by Danny Palmer, Senior Writer
Image: Getty Images/iStockphoto

Poor cybersecurity in Internet of Things (IoT) medical devices potentially poses risks to both the wellbeing of patients as well as to the infrastructure that keeps hospitals running.

The Royal Academy of Engineering worked alongside the Petras Internet of Things research hub to produce a report on IoT, cyber-safety, and reliance -- and the message is that more work needs to be done to improve the security of connected systems.

While noting that connected and implanted medical devices -- including cardiac pacemakers, drug administration devices, and monitoring devices, as well as infusion pumps, defibrillators, glucometers, and blood pressure measurement devices -- can help patient care, the Cyber safety and resilience report also highlights the connectivity inherent in these devices also bring risks.

Cyber-attacks on connected devices could therefore result in "severe consequences on patient safety", which could even result in injury or worse.

See also: What is the IoT? Everything you need to know about the Internet of Things right now

The risk of cyber-attacks against hospitals and the disruption which can be caused to medical systems and devices by cybercriminals was demonstrated by last year's WannaCry ransomware attack, which took some hospital IT systems down for weeks.

However, it isn't just malicious attacks and hacking of connected devices which could risk patient safety: events such as natural disasters or failure of components or even critical infrastructure could result in damage being done.

The Royal Academy of Engineering notes there's "no silver bullet for improving cybersecurity and resilience" but warns that the issue requires the government, industry, system operators and the engineering profession to come together and cooperate in order to boost IoT security.

Products must be built to be as resilient to attacks as possible, or in the case that they do end up offline, they must be able to be restored as quickly as possible, the report warns.

In order to improve the cybersecurity of IoT devices, the Royal Academy of Engineering has followed a government recommendation that the products must be built to be 'secure by default' and recommends a number of measures to ensure this is the case.

They include mandatory risk management procedures for critical infrastructure which set out guiding principles for cyber-risk management during design, operation, and maintenance, along with policies for increased transparency in supply chains to improve the level of cybersecurity in products and services.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

Other recommended measures include the UK government working with other governments, international institutions, and IoT product manufacturers in order to create umbrella agreements that set out global specifics for integrity and security of IoT devices.

It's also noted that this should be done alongside ethical frameworks in order to ensue IoT devices are built with the minimal risk to society.

"The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends," said Professor Nick Jennings, lead author of the report.

"We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly."

In addition to recommendations about building security into connected devices, The Royal Academy of Engineering also suggests that the government must invest in helping the wider public to understand the complexities of IoT devices.

"It is vital that we improve the level of technical and data literacy and skills to enable the public to become involved in reinforcing security in data and the Internet of Things," Professor Rachel Cooper, adoption and acceptability theme lead at the Petras IoT Research Hub.

"Ethical development of these emerging technologies is a collective responsibility for the whole of society, not just for those who are developing them," she added.

A number of initiatives have been launched around the world in an effort to make IoT devices more secure, including by the UK government, the European Union, and the US government.

Recent and related coverage

Cyberattacks against hospitals rose a whopping 211 percent in 2017

Poor security practice, shared passwords and vulnerabilities in software increasingly aid attackers access treasure troves of sensitive personal data, warns report.

NHS hospitals get green light to keep patients' medical records in the public cloud

Better uptime and lower IT costs could follow, according to NHS Digital.

Hospital hacks: Default passwords and no patching leaves healthcare at risk

Poor security practice, shared passwords and vulnerabilities in software increasingly aid attackers access treasure troves of sensitive personal data, warns report.


Editorial standards