IoT Device Security Flaws Stalk Medical Providers, Blunt Innovation

At last count, there were roughly 40 billion connected devices in service globally that do everything from responding to voice commands from devices sitting on kitchen countertops to alert consumers who are at their front door before they knock, to tracking their steps and vital signs — even powering medical devices like pacemakers and portable heart monitors. These IoT devices — and others — play a key role in connecting consumers with vital information and services, enabling commerce and new service delivery models.

Unfortunately, these devices are a challenge to secure, and hackers have taken note.

In fact, Natali Tshuva, founder and CEO of IoT cybersecurity firm Sternum, said that 25 percent of all attacks on businesses involve exploiting the vulnerabilities inherent in many of the connected devices. As Tshuva told PYMNTS CEO Karen Webster in a recent interview, the issue is made more urgent in the medical device segment. Here the connected devices aren’t just adding value to lives; they’re saving them. Tshuva even goes so far as to say that hacking concerns due to security flaws have held innovation back.

“There’s definitely the threat of cybersecurity being a barrier,” Tshuva said. “For me innovation and new technologies that are based on connectivity and cloud-based solutions have been held back by a privacy concern, especially with remote care devices.Between not moving forward with development, to actually solving the problem is the gap where security solutions are needed.”

Security Before Connectivity

Tshuva used the example of insulin pumps. There are insulin pumps on the market that can connect the collected data to mobile apps, but device makers have disabled that connection over fears of hackers. For example, she is aware of patients hacking into their insulin pumps to connect them to their mobile or laptop just to get access to their own data. The logical path is to put that information in the cloud so that patients could be directed on when to take a dose or maybe develop habits that lead to better diabetes care. That can’t happen, Tshuva said, until the data and the devices are secured.

It’s a situation that is acute, particularly in the wake of COVID-19 and the need for reliable, secure remote patient monitoring devices.

Take, for example, remote patient monitoring, she explained. There’s any number of IoT devices that doctors and nurses use on a minute-to-minute basis to collect and monitor information on heart rate, blood pressure, body temperature, oxygen levels and more. When those devices collect patient data, it’s sent to a software application that analyzes it. For example, an IoT sensor that detects a low heart rate may generate an alert to medical personnel about a potentially life-threatening condition.

Money Makers

While hackers gaining access to patients’ medical devices such as pacemakers, insulin pumps and dialysis machines is unnerving enough, Tshuva said that often, hackers are looking more to the financial benefits of their hack rather than simply wreaking havoc with someone’s health. According to Health IT Security, 79 percent of all data breaches reported in 2020 occurred in health systems.

First, after hackers can break into an IoT device, they can gain access to personal data that can be sold on the dark web for a significant amount of money. Second, hackers can execute ransomware attacks in which they lock down patient data until a fee is paid by either an individual or a company — especially if they can hop on a company’s network through an IoT device. And third, she pointed to a case in which a vulnerability was found in pacemakers deployed by St. Jude’s Medical a few years ago in which the news of the issue drove the company’s stock price down, allowing bad actors to purchase shares at a bargain.

While data is at the heart of many of the attacks Sternum works to prevent, the company also counts data as a key benefit Sternum brings to the companies it works with. Tshuva said that in addition to protecting IoT devices, Sternum’s solutions also gather and provide data to their deployers. Such data can influence solutions based on machine learning and artificial intelligence (AI) and informational business solutions and innovation.

“This data is crucial,” she said. “And therefore by implementing controls that not only give you an overview of asset management and where your devices are, but actually in-depth, intimates eyes into the operation of all the aspects of your device, you can get the unique data needed to build solutions and make decisions that are based on data.”

The Need For Standards

Tshuva said such protections have been slow to roll out for a variety of reasons. First is that IoT devices are low on resources, meaning that they don’t have the deep and wide computing power of laptops or enterprise networks. They also don’t run on traditional operating systems like Linux or Windows. As a result, there are no existing antivirus or anti-malware solutions to protect them in traditional IT space.

“So then you find yourself in a situation where you have millions of devices already deployed, and then there is a huge security issue,” Tshuva said. “And only then you’re starting to think, ‘how am I going to maintain the security needs of those connected devices?’ It’s kind of how the market behaves.”

And there’s also the issue of standards to secure data on the devices. It, too, is holding innovation back. In October 2020, the FDA published a paper and requested feedback on the cybersecurity of medical devices, but that was its last official word on the topic, which Tshuva expects more direction. She noted that some manufacturers have started to publish some guidelines, but the latitude for compliance, in her opinion, is too wide.

Sternum has developed algorithms that provide what the company calls an “Exploitation Fingerprint” that identifies and stops hackers based on the vulnerability they are trying to exploit. The technology can be baked into new IoT devices and deployed in such a way that even older IoT devices can gain protection — without the manufacturer having to rewrite any code. Sternum said it could eliminate the need for device and software manufacturers to issue endless patches, which are often deployed after an exploitation has been executed and damage of some sort has been done.

As more companies begin to secure their devices using active security rather than retroactive patching, the entire IoT platform will become even more powerful than it already is. For example, she said that with proper security measures in place, physicians will adjust their patients’ pacemakers while the doctor sits in her office and the patient in his home.

“There has to be active cybersecurity on each and every IoT device,” she concluded. “And we see this as raising the bar for cybersecurity of connected devices across the board — especially in mission-critical deployments in railways, power grids and in our smart cities. It has to be active security that operates from within the device to keep us safe in real time. So definitely one of our goals is to set the bar higher and to drive the standards.”

Sternum will use its recent $6.5 million in Series A funding to address those security issues, especially in the medical device field in which it specializes.