Pacemakers and FitBits seem to be the canaries in the mine as far as health-data collecting devices are concerned. The vulnerabilities these devices present are systemic and caused by a culture of cheaper, faster, and simpler. Devices, regardless of what their final MSRP cost may be, are all designed, developed, and eventually produced utilizing the least expensive means available. This cost cutting allows for cheaper FitBits but is directly causing the security issues we see as any and all corners are cut. While it would be easy to think that a device like a pacemaker, which costs the consumer (and/or their insurance company) 10s of thousands of dollars, are inherently safer. Unfortunately, they are still motivated more by profit than any other factor, a common theme in today’s increasingly capitalistic world.
Some devices are certainly more vulnerable than others. Some factors that contribute to security weaknesses include, additional or extra features, software, and how they communicate with external devices (i.e. BlueTooth, WiFi, or a wired connection). When a device has the ability to send and receive signals wirelessly it has a markedly higher risk of being vulnerable to attack. It boils down to a conflict that has been plaguing InfoSec professionals for as long as Information security has existed; convenience verses security.
FDA To the Rescue (sort of)
The Food and Drug Administration (FDA) recently released voluntary guidelines to industry on post-market surveillance of medical devices to find security vulnerabilities (http://www.fda.gov/MedicalDevices/Safety/CDRHPostmarketSurveillance/default.htm). They have chosen to focus their efforts on patient safety and security and as such consider vulnerabilities in medical devices that may cause a breach to be of low priority. While this is not necessarily good news for the healthcare organizations themselves, it is a very important step to help improve the safety of patients that rely on biomedical devices. The FDA’s new program seeks to implement a proactive, comprehensive risk management program specifically targeted to keep customers of biomedical devices safe from serious risk. The FDA says it will have a consumer level database in place at mdvis.nhisac.org, however at the time of writing the site does not appear to be online yet.
What Can a Villain Do?
The potential ramifications of a successful hack on biomedical devices is dependent on the type of device, its functionality, as well as how it interacts with the patient and other systems. A device such as a FitBit or other “activity tracker” collects data on its users physical activity (such as steps, and heart-rate), some of the more advanced devices will monitor GPS locations, sleep patterns and even other more private physical activities. An attacker that gains access to this information can use it as a means of extortion against the user by blackmailing them with information they would prefer to keep private. Devices like pacemakers and are a little bit of a different story. In most cases external communication of these devices is in the form of “logs” or data on how the device is performing and how the patient is doing. However, it is entirely possible that a determined attacker could cause an intentional malfunction of a device to injure, hospitalize, or potentially even cost the victim their life.
One of the biggest concerns coming from devices such as FitBits and SmartWatches that are capable of collecting a lot of useful health related data, is the data itself. As it stands most data from these devices is kept private and only provided to the user. However, there have been attempts by insurance companies, employers, and healthcare providers to gain access to this data. But, it should be kept in mind that this information can be used by these same organizations to make coverage and treatment choices that are more likely to benefit the “bottom dollar” than the patient. They may be denied coverage, or treatment due to this information.
Have I Been Hacked?
This is one of those “age old” questions that is very difficult to answer. The basic guideline is the same as the government and police often say, “see something, say something.” If you see something out of the ordinary, changes to settings, passwords, configurations or anything else that seems odd, it could be a sign that an attacker has compromised the device, or accounts linked to it. If you suspect there is something fishy going on, speak to the provider or maker of the product and ask them to investigate your suspicions.
(Blog Post for Week 5 of CYBR650)