Poor cybersecurity in Internet of Things (IoT) medical devices potentially poses risks to both the wellbeing of patients as well as to the infrastructure that keeps hospitals running.
The Royal Academy of Engineering worked alongside the Petras Internet of Things research hub to produce a report on IoT, cyber-safety, and reliance—and the message is that more work needs to be done to improve the security of connected systems.
While noting that connected and implanted medical devices—including cardiac pacemakers, drug administration devices, and monitoring devices, as well as infusion pumps, defibrillators, glucometers, and blood pressure measurement devices—can help patient care, the Cyber safety and resilience report also highlights the connectivity inherent in these devices also bring risks.
Cyberattacks on connected devices could therefore result in “severe consequences on patient safety”, which could even result in injury or worse.
The risk of cyberattacks against hospitals and the disruption which can be caused to medical systems and devices by cybercriminals was demonstrated by last year’s WannaCry ransomware attack, which took some hospital IT systems down for weeks.
However, it isn’t just malicious attacks and hacking of connected devices which could risk patient safety: Events such as natural disasters or failure of components or even critical infrastructure could result in damage being done.
The Royal Academy of Engineering notes there’s “no silver bullet for improving cybersecurity and resilience” but warns that the issue requires the government, industry, system operators, and the engineering profession to come together and cooperate in order to boost IoT security.
Products must be built to be as resilient to attacks as possible, or in the case that they do end up offline, they must be able to be restored as quickly as possible, the report warns.
In order to improve the cybersecurity of IoT devices, the Royal Academy of Engineering has followed a government recommendation that the products must be built to be ‘secure by default’ and recommends a number of measures to ensure this is the case.
They include mandatory risk management procedures for critical infrastructure which set out guiding principles for cyber-risk management during design, operation, and maintenance, along with policies for increased transparency in supply chains to improve the level of cybersecurity in products and services.
Other recommended measures include the UK government working with other governments, international institutions, and IoT product manufacturers in order to create umbrella agreements that set out global specifics for integrity and security of IoT devices.
It’s also noted that this should be done alongside ethical frameworks in order to ensue IoT devices are built with the minimal risk to society.
