This article was published in BLM's Healthcare Trends Emerging Risks update. To see the full edition, please click here.
‘Medjacking’ is a term coined to describe the use of malicious software (“malware”) as a means to launch cyber attacks on healthcare systems. This is usually done by hackers placing malware on networked medical devices giving them the ability to remotely control medical equipment.
A networked medical device is a medical device that has the capability of connecting to the internet. Such devices are generally separated into four groups:
- Consumer health monitoring (e.g., FitBit – using Bluetooth with nearby personal mobile devices)
- Wearable (e.g., portable insulin pumps – using proprietary wireless protocols to communicate)
- Embedded (e.g., pacemakers – implanted into the patient but communicate wirelessly)
- Stationary (e.g., chemotherapy dispensing stations – using wifi to connect to hospital networks).
Medical devices may be vulnerable to attacks on their security systems that are installed by the manufacturers. Some manufacturers, especially those with low budgets for cybersecurity, turn to open source code and libraries for security solutions. They may be using older, more exploitable code, with known vulnerabilities in their products. Where security systems are managed solely by the manufacturer’s external technicians, healthcare providers are totally dependent on manufacturers to maintain security.
Cyber attacks on healthcare providers
Medical devices have emerged as a new target for cyber attacks. In a report published in June 2015, one cyber defence company reported a case at an unnamed hospital where hackers were able to plant malware in surgical blood gas analysers. The hackers then used the equipment as a back door to find passwords throughout the hospital’s IT systems and leak sensitive information. One hospital’s picture archive and communications system (which stores images from CT scanners, MRI scanners, X-ray machines and ultrasound equipment) was reportedly used by hackers to access other parts of a hospital’s network. Another case involved hackers creating a backdoor access point through a hospital’s X-ray system.
The information that healthcare providers hold is more valuable than payment card information held by retailers. Credit card information has a relatively short shelf life. Cards can be cancelled with relative ease and new cards are issued on a regular basis. Health organisations often have complete profiles of people including national insurance numbers and medical health information that is impossible to change in light of a data breach. Health data attacks give hackers the information they need to commit identity fraud and organisations are vulnerable if their security systems are not sufficiently robust.
The increase in use of healthcare apps
The healthcare industry is now using ‘apps’ in the same way as the fitness industry, to track patient health and assist with treatment compliance. For example, 2013 saw the development of the eICU remote health monitoring programme at Guy’s and St Thomas’ hospital whereby clinicians could remotely monitor vital signs such as heart rate or blood pressure.
This year has seen the launch of Apple’s ‘iWatch’ which is able to monitor heart rate, blood glucose, sweat and sleep patterns. Various other smart watches and fitness bands offer a variety of options for capturing an individual’s key health data. McKinsey Consulting predict that up to 75% of the global population will be expected to use devices like this at some point in the future.
We are now moving into an era of ‘implantables’. Google’s smart contact lens has the potential to monitor a person’s glucose levels or other vital signs. Drug companies are working on implantable smart pills which work with Bluetooth to inform doctors and family members if a patient has taken his or her medicine.
The progression from remote health monitoring to health apps will see patients monitoring and assessing their own health issues and managing their own prescriptions, relying on applications to inform patients to take clinical action and make diagnoses, without any personal clinical review or medical examination.
A new generation of bionics which can connect wirelessly with the nervous system and enabling ‘feeling’ sensations is now available to patients in the UK. These devices are implanted directly into the nerve to process and transmit signals wirelessly to an external device.
In February 2015, three men in Austria become the first in the world to be fitted with mind-controlled robotic bionic hands that are based on a new technique known as "bionic reconstruction". Developed by researchers from the Universities of Vienna and Göttingen, bionic reconstruction is a technique that combines selective nerve and muscle transfers, elective amputation and an advanced robotic prosthesis.
A £1.4m UK research project lead by Newcastle University aims to develop novel electronic devices that connect to the forearm neural networks to allow two-way communications with the brain. This could allow the hand to communicate directly with the brain, sending back real-time information about temperature, pressure and shear force. A £5.3 million award from the Engineering and Physical Sciences Research Council will also be used to develop smart trousers, to help disabled and older people walk, and biosensors to monitor how patients use equipment or exercise during rehabilitation.
The bionic pancreas is a connected collection of devices, consisting of a Dexcom continuous glucose monitor (CGM), an iPhone with a specialized app, and two bluetooth-connected automated pumps (one with insulin and the other with a hormone called glucagon). It monitors glucose levels, and automatically regulates those levels using infusions of either insulin or glucagon into the bloodstream based on the participant’s sugar levels as reported by the CGM, which communicates via radio frequency with a sensor injected under the patient’s skin.
Where the data sent through such devices is not encrypted, there is greater potential for a hacker to intercept or even modify that data. The former poses a security risk, the latter a threat to human health.
Technology can provide many answers to the challenges faced by healthcare providers. It can provide new and effective treatments, where patients can be treated away from hospitals and surgeries, can reduce the scope for human error and can result in costs savings. However, the increasing use of technology means that more and more data is being held by healthcare providers and the high value of that data means that they have become increasingly attractive targets for hackers. The focus of technological development therefore needs to be as much on the security of the data obtained as on the effectiveness of the devices themselves. Whilst there have not been any reported UK data breaches involving cyber attacks against healthcare providers so far, healthcare providers should be prepared!
Lisa Dalgleish, Solicitor, BLM