The Security Ledger

Intel: New Approach Needed to Secure Connected Health Devices

In a new report, The Atlantic Foundation and Intel Security warns that risks accompany the rewards of connected medical devices.

In-brief: connected medical devices pose a number of risks to patients, including the threat of “targeted killings,” according to a report by Intel Security. The fix: better application design and more public-private sector cooperation.

Connected health devices are poised to revolutionize the way healthcare is provided and could dramatically reduce the cost of caring for the sick within the space of a generation. But these new devices also introduce new threats, including the possibility of “targeted killings” by way of implanted or wearable medical devices, according to a report from the firm Intel Security.

Connected health products will demand an increased focus from medical devices makers on information security. They also demand a new approach to the regulatory approval process by the federal government if the promise of connected health technologies is to be realized. That’s the conclusion of a new report out from Intel Security and The Atlantic Council. The report: The Healthcare Internet of Things: Rewards and Risks, which assesses the security risks of connected health technologies.

Click the image to link to the Intel and Atlantic Foundation report.

The report notes research from GE that estimates new technology could shave $63 billion from healthcare costs in just the next 15 years. Much of that would come from reduced costs for hospital equipment. But those savings come at a cost, according to the report’s authors. Specifically: the threat of “accidental failures” that erode patient (and public) trust. Patient privacy and the need to protect sensitive health data is another immediate concern, as recent compromises at Athena Health and, last week, Premera Blue Cross illustrate.

[Read more Security Ledger coverage of security issues affecting connected health devices. ]

Intentional disruption of entire classes of networked medical devices by motivated attackers like hacktivists, spies or terrorist groups is a concern for patients wearing connected health devices that are critical to their safety. The group also considers the threat of “targeted killings” by way of the disruption of- or malicious attacks on connected medical devices to be a possible – though remote – concern. However, threats like the sophisticated Stuxnet malware used to disable Iran’s uranium enrichment operation are proof that even super-sophisticated, low-probability attacks are possible, given a motivated attacker, the authors note.

The report identifies a number of risks that run throughout the medical device sector. Among them:

The report calls for a number of changes. At the top of the list: a move by medical device manufacturers to embrace “secure-by-design” principles for research and development. “Adding security features to products after their initial rollout is a losing battle. It is simply too costly and ineffective to try to secure systems already in the possession of the end user,” the report concludes.  In a report by the Food and Drug Administration (FDA) in October, the U.S. government also called for “secure by design” principles to be used in the creation of new, connected health products.

Closer cooperation with security experts, including the use of bug bounties to encourage researchers  to look at medical devices are recommended.

The report shies away from calling for stricter regulation of connected health devices. Rather, it calls for closer cooperation between regulators and private firms, and changes at the federal level that make it easier to get new, connected health products evaluated and approved by government regulators. Removing barriers to retiring legacy hardware and application software will likely lead to rapid improvement in the security features and capabilities of connected medical devices and other health products, the authors conclude.

Read more of Intel’s report here.

Spread the word!