21st century, technology is everywhere. Connecting your watch or you toothbrush is becoming part of your daily life. Put all these connected objects together and you will have the Internet of Things. But depsite the revolutionnary aspect of the thing, people starts worrying about their privacy. Still, security is much more than privacy. Among confidentiality, integrity or data manipulaion, we can wonder what are the real issues of IoT ?
Nowaday, more and more daily objects are shipped with wireless technology built in : checking your heart rate is easy as ABC now with your smartphone, you can also visit the morning toothbrush report about your temperature or even buy some bacon when your fridge detects that you will be short of it for your breakfast. Sounds conveniant and amazing ? Of course, but let's talk about security. The awareness of how easy data are accesible on the Internet have recently hit the general public. Many attacks have been performed since several years against big companies which saw their database leaked on the wild. Thus, speaking about security of IoT, the keyword remains confidentiality.
The aim of most connected objects is to send and rececive data, but some others are designed to remotely manipulate data and are potentially hackable to make much more damages. So the question is what about objects that have a direct effect on users health ?
Recently, researchers have demonstrated how to take control of a pacemaker and a insuline pump to show how dangerous these attack could be. Most of the time, these little devices are connected in Bluetooth or WiFi. That's the same for hospital medical devices which are more and more embedded with wireless technologies.
Since years ago, medical devices are linked to the network by wire in order to centralize data. But since several years, wireless objects are trendy and new companies offering this kind of services comes to light. Thus, certain data can be send to web or mobile application for the purpose of optimizing the employee daily work. In that way, the information can be consult anytime, everywhere. Focusing on clinicians tools mobility, this new feature allows to great time reduction: the healthcare professional affected to a patient have the possibility to modify it's posology when warned by the monitoring device without the need to be near the room. Futhermore, sharing of the patient's information is ensured by mobile application, which make the following-up easier, in particular when beeing transfered to another department.
Thanks to this technologic revolution, lots of physic or procedural issues in medical environment are now resoved. But there is a glitch. While connecting a device, it's attack surface increase. Several attack vector level exists depending on if they affect the patient directly or not:
Active medical devices
Medicine and biomaterial
Surgery and procedures
Chirurgie et procédures
|Interact directly with the patient|
Passiv medical devices
||Bring information or diagnostic, don't directly affect the patient health|
|Can be use as attack vector on the information system|
There is devices which are only physically accessible, but it exists some others that allows to be managed remotely. Using the right keywords on search engines such as Shodan, you can find plenty of medical devices IP addresses. From there, accessing to their web interface is easy as ABC and we can imagine an attacker remotely taking control of a potentially vital device. For instance, accessing to a medicine dispenser, the attacker can modify the patient posology and make the device to inject a lethal medicine dose to the patient, and so without beeing physically in front of the device. It's the same story speaking about monitoring devices which can be compromised to display wrong information to mislead a clinician and endanger the patient.
The main problem of healthcare connected devices is that they are not secured. Whether as the fashion of the day or technological advancement, manufacturers try to modernize their products and made them more user-friendly for the consumer by made them accessible remotely. Yet, the right focus must be set on security aspects, especially in the medical domain.