Connected medical devices creating cybersecurity risks
Security experts billed 2015 as the ‘year of the healthcare hack’, with increasing numbers of medical systems attacked by cyber criminals targeting valuable personal data. While cybersecurity is commonly associated with software attacks, the healthcare sector is finding that the hardware it’s employing to improve patient care is creating backdoors.
Neil Oliver, technical marketing manager of Accutronics, takes a look at the vital role hardware encoding plays in the battle to secure medical devices.
Across the medical sector the amount of digitally stored data is growing year-on-year, and while pharmaceutical companies, healthcare facilities and OEMs have to constantly work at keeping hackers out, a hacker only has to be successful once to cause serious damage. For instance, at the end of 2014, the number two US health insurer, Anthem Inc, disclosed a massive breach of its database containing nearly 80 million records.
Medical equipment has taken an evolutionary leap in recent years to take advantage of the developments of the digital age. With the rise of the IoT, medical devices are ‘connected’, and not just to the Internet. They are often connected right into a healthcare provider’s network, establishing a pathway to data that seems otherwise protected.
At 2015’s hacker conference DerbyCon, it was revealed that there had been 68,000 attempts at hacking critical medical devices, such as MRI scanners, over a six-month period. Fortunately, in this instance these were fake devices, 'honeypots' set up to lure in malicious hackers. This goes to show the importance of addressing cyber security flaws, particularly in devices that leave patients at risk of harm if compromised.
In the fight to close the backdoor, every measure must be taken to secure the hardware itself. A lack of hardware-based encryption is causing widespread concern about medical equipment and about the reliability of batteries used in such equipment.
Battery counterfeiting is a problem faced by the medical industry on a scale never before witnessed in the sector. The ready availability of grey market, untested copycat batteries, possibly using inferior components, means that many life-critical devices used in our hospitals and medical establishments may be unreliable or unsafe to use.
Accutronics has worked hard to tackle this problem, developing a new CMX series of smart batteries and chargers. The new range incorporates some innovative features, including SHA-1 hardware encryption.
SHA-1, which stands for secure hash algorithm, is a cryptographic hash function designed by the United States National Security Agency (NSA). The algorithm is flashed onto the smart battery's fuel gauge before being sealed in during production. At the same time, a software update is made on the host medical device. Upon insertion, the battery is challenged to complete a calculation within 100ms, if it matches with the one performed by the host device, it's genuine, otherwise it's fake and can be rejected for non life-critical applications.
It’s time to lock the gate behind us and shut cyber criminals out of medical devices by building cybersecurity and encryption into the equipment. Doing this means thinking of every part of the machine, even something as seemingly insignificant as the battery. Building encryption into the hardware itself will provide the first line of defence against those who would use medical devices to cause trouble, reducing the threat to life and reducing the potentially massive costs of leaving the backdoor unguarded.