The prevalence of new medical devices and wearables connected via the internet of things (IoT) means ease of tracking data about vital signs and other measurable health-related information. Yet these devices, linked via assorted networks, are rife with vulnerabilities, featuring personally identifiable healthcare and financial data that can be used for nefarious purposes.

As such, hacking healthcare devices and equipment has become a real concern as new smart devices and equipment emerge on an almost daily basis, particularly in response to the COVID-19 pandemic. This article will explore how such devices come to serve as gateways for hackers, the various devices vulnerable to hacking and the typically nefarious reasons for doing so.

The what

Medical equipment and wearable technologies are commonly targeted by hackers. Although researchers have determined that the enticement for hacking such devices might include a desire to injure the patient associated with the device, the true motivation — mostly — is undeniably a financial one.

Fitness trackers, insulin pumps, pacemakers and other drug infusion pumps are just a few examples of the devices that hackers have previously demonstrated that can be hacked.

For instance, researchers from the University of Edinburg in Scotland have discovered that fitness trackers — devices that capture personal details such as steps taken, calories burned and heart rate, for instance — and the personal information they record may be vulnerable to hacking.

The personal data, according to the researchers, could be shared with third parties, such as marketing agencies and online retailers or used to manufacture false health records, netting hackers cheaper insurance coverage, for example.

Studying two Fitbit models popular with consumers, the Edinburgh researchers managed to intercept the data messages exchanged between the Fitbit and the data analysis hub (a cloud server). Likewise, the researchers were also able to bypass the end-to-end data encryption system, giving the researchers access to the stored data.

Similarly, medical implants, such as pacemakers and drug infusion pumps, also have vulnerabilities. Such devices are typically connected to an ecosystem of devices, any components of which are vulnerable to attack. Although white hat hackers — ethical computer hackers or computer security experts engaged in testing that ensures the security of an organization's information systems — have demonstrated that it is possible to hack a medical device with the intention of causing one physical harm, or even death, such attacks are unlikely. Ultimately what is at stake is the personal data attached to such devices, such as medical records, prescriptions and test results, which are often stored in a healthcare networks’ cloud

The why

Healthcare devices and data captured by those devices are attractive to hackers with malicious intentions mostly because of what that captured data reveals about a target. For instance, wearable devices used to measure vital signs may also reveal the whereabouts of the wearer — which is particularly concerning when the wearer is located at a top secret area such as a military base, or when the wearer is away from his or her home, leaving it and everything inside vulnerable to burglary.

Medical devices could also be held for ransom, with a hacker threatening to possibly disable a device like a pacemaker if some other financial action isn’t carried out by the pacemaker’s owner or his or her loved ones. Similar extortion opportunities might exist for hackers who have accessed sensitive healthcare data via these connected devices, threatening a patient that they will expose that he or she is suffering from a disease or illness that the patient wants to keep confidential unless they are remunerated.

Also making healthcare data so attractive to hackers, according to a 2019 Trustwave Report, is that healthcare data can go for as much as $250 per record on the black market — significantly more than other records sold on the black market.

The how

The ways in which such devices can be hacked are seemingly endless: Hackers send a wireless signal that instructs an insulin pump to deliver lethal doses of insulin; hackers access a device via a so-called back-door, which are oftentimes left by design or the result of the components used by the manufacturer; hackers take advantage of software vulnerabilities; the list goes on.

As such, experts suggest that there are steps consumers can take to help make it difficult for hackers to hack, so to speak.

At the top of that list is registering a device with its manufacturer so that important information can be quickly disseminated, patches to equipment can be made and regular software updates issued. Likewise, devices monitored via smartphones and other similar technology should be secured with stronger passwords and biometric scanning, for instance.

For more on this and other healthcare engineering topics, check back with Engineering360.

To contact the author of this article, email mdonlon@globalspec.com