Researchers warn that rising significant unpatched vulnerabilities and a lack of encryption leave medical device data vulnerable.
As medical service providers deal with the stress of a pandemic and growing prices, telehealth services is becoming more popular. However, the rush to implement remote healthcare has resulted in a plethora of wearable medical devices that capture sensitive data and are, according to researchers, broadly exposed to assault.
Last year, Kaspersky Labs researchers discovered 33 vulnerabilities in MQTT, the most extensively used data transfer protocol for internet of things (IoT) medical devices, up from 10 the year before. The team warned that all of them put patient data at danger.
To put those figures in context, Kaspersky experts claim that just 90 MQTT vulnerabilities have been identified since 2014. Worse, they added, many of those bugs are still unpatched.
“Overall, we projected 2021 to be a year of increased collaboration between the medical community and IT security experts,” the Kaspersky team stated. “Our hopes were exceeded in some ways, but the rapid rise of telehealth has created new obstacles for this relationship that have yet to be resolved.”
According to a new research from Fortune Business Insights, the whole medical device market (including healthcare wearables from Apple, FitBit, Samsung, and numerous other gadget-makers) will reach $195 billion by 2027, after experiencing exponential growth since the commencement of the epidemic.
“The epidemic has sparked a surge in the telehealth sector,” said Maria Namestnikova, head of Kaspersky’s Russian Global Research and Analysis Team (GReAT), “and this doesn’t just involve speaking with your doctor via video software.” “We’re talking about a wide spectrum of complicated, fast evolving technology and goods, such as specialised apps, wearable gadgets, implantable sensors, and cloud-based databases,” says the author.
Medical Equipment Troubles of the Man-in-the-Middle
MQTT’s ease of use makes it a popular choice for most IoT devices, including medical devices. However, as the Kaspersky researchers point out, MQTT devices are vulnerable to man-in-the-middle attacks and data theft because authentication isn’t necessary and encryption is minimal.
Aside from the device, Kaspersky discovered issues in Qualcomm Snapdragon Wearable, the most popular wearable device platform. The platform is rife with problems, according to the researchers, increasing the total number of vulnerabilities discovered in the platform to 400 since its inception in 2020 — many of which are still unpatched.
This creates a huge, vulnerable attack surface in the healthcare industry, and attacks are becoming more regular, bold, and damaging.
It is up to hospitals and medical service providers to design secure telehealth networks. Last summer, Prevailion’s CTO, Nate Warfield, authored an article for Threatpost. He urged the corporate sector to help shore up vital healthcare infrastructure, and praised organisations like the CTI League and the COVID-19 Cyber Threat Coalition, which were founded at the start of the pandemic to share threat intelligence in the face of an increasing attack threat.
“Even when the epidemic is finished, cyber-threats to healthcare will continue,” Warfield said. “Hospitals must be more proactive in defending themselves against these threats… They should likewise enhance their cybersecurity spending.”
“Advanced defensive tools should be more accessible to the healthcare sector,” he continued, “information exchange among enterprises should be promoted, and collaboration across all sectors to assist defend these life-saving industries should be the rule, not the exception.”
The basic security considerations of using strong passwords and having adequate user security training were advocated by Kaspersky, but he emphasised that application developers need to do more.
“Application developers must understand that application vulnerabilities and a general lack of security can allow cybercriminals to gain access to personal conversations between doctors and patients, user databases, payment details, and other highly sensitive information,” according to the Kasperky telehealth report.