Internet of things (IOT) devices generating, storing or processing medical records could be exploited, and each record could be worth up to $250 per patient.
The $250-per-IOT-medical-record figure comes from John Halamka, chief information officer (CIO) of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network, as he was being interviewed for IT World in the wake of the 4.5 million patient record privacy breach at Community Health Systems by hackers in China.
“If I am one of the 50 million Americans who are uninsured … and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details,” he said. As long as personal details like age, weight and height are approximately correct, a person could use the stolen data (and a standard fake ID) to convince a hospital they are insured and receive treatment, Halamka continued. (“Why would Chinese hackers want hospital patient data?” by Martyn Williams, August 18, 2014 – IDG News Service)
At 2014’s DEFCON security convention healthcare security researcher Shawn Merdinger demonstrated how medical devices could expose personal health information to hackers. The types of devices he looked at included anesthesia carts, lab systems, refrigeration storage, PACS (imaging/radiology), MRI/CT, cardiac defibrillators, infusion pumps, nuclear medicine systems, fetal monitors and integration points with monitoring systems – all with their own issues. In one example, he located more than a thousand of these devices connected and listening after tickling just one exposed workstation plugged into a hospital group’s wide open network. (“Just What the Doctor Ordered?” by Scott Erven and Shawn Merdinger, August 8, 2014 – DEFCON 22)
At 2014′s DEFCON security convention healthcare security researchers Scott Erven and Shawn Merdinger lauded Philips Healthcare’s new “Responsible Disclosure” policy initiative as a model of cooperation for the Internet of Things (IOT) security research community. (“Just What the Doctor Ordered?” by Scott Erven and Shawn Merdinger, August 8, 2014 – DEFCON 22)
A draft of the new Philips Healthcare policy plan read as follows and can be adapted by other IOT device manufacturers and start-ups. (All IOT device makers should draft a vulnerability reporting policy as a matter of best practice; the same practice is already quite common in the software industry.)
“Philips Healthcare and Responsible Disclosure Positioning”
(from Philips Healthcare “Product Security and Services Office” – August 2014 – original)
Philips Healthcare recognizes the need for clear a Responsible Disclosure Policy and protocols as part of its Product Security function.
The company is developing a Responsible Disclosure Policy according to current industry best
- The policy will be publicly accessible, with clear communications channels for customers,researchers and other security community stakeholders.
- The policy will be based on principles of transparency, accountability and responsiveness.
- The policy will outline defined protocols for reporting and response, managed by the Philips Product Security Team.
The policy protocols will encompass:
- Monitoring and response of inbound communications
- Managing confirmation receipt and follow-up communication with senders
- Evaluation of vulnerability notifications and status tracking
- Alignment with incident response, stakeholder notification, remediation and prevention protocols as required
Philips has actively sought out researcher and analyst input to help guide policy design and
- The company has increasingly engaged with the security research community over the past year.
- Philips is committed to ongoing dialogue with the security community and to productive partnerships.
Philips Healthcare Product Security Policy Statement
In August 2011 Philips issued another positive security statement about medical IOT devices. Their “Product Security Policy Statement” was more of a whitepaper than a policy statement, but is also a good example of how responsible IOT device makers can use security to market and sell their products (rather than just treat it as a burden). Some key excerpts from this document are listed below.
- At the medical device industry level, Philips works on the HIMSS Medical Device Security Workgroup…
- In light of the increased focus on medical device security and compliance…(we support) a standard “Manufacturer Disclosure Statement for Medical Device Security” (MDS2)
- Any connection of a device to a hospital network should be done with appropriate risk management for safety, effectiveness, and data and systems security
- The Philips Product Security Policy requires Security Designed In objectives as part of all new product creation efforts.