How to Protect Personal Information with Medical Devices

Overview

Do you have a pacemaker?  Have you had an MRI?  Do you use a blood glucose meter that connects to your smartphone?  If so, it is important to consider the security implications of using these devices in today’s increasing technology connected world.  It seems that just about every appliance we own these days has a tiny little computer with an Internet connection inside of it, from our toasters to our washing machines.  These technologies allow us major conveniences such as adjusting the thermostat at home while on vacation or starting the car remotely so that it can warm up on a cold day.  These same types of technologies are being used to help doctors and other healthcare professionals treat patients more effectively.  Sometimes this is done when the devices, such as internal defibrillators, send important information wirelessly to the doctor.  Other times the special equipment, such as an MRI, CT, or ultrasound, allow the doctor to see the inside of the patient without needing to resort to surgical procedures.  The doctor can then see this imaging directly connected to the patient’s chart.

You might be wondering how this type of attack can take place.  Many of these smart devices reside on what is called the Internet of Things, or IoT.  Among all of its benefits, the IoT has one glaring weakness: security.  IoT devices are created to be an inexpensive, yet integral, part of our lives, but they are often not continuously patched for security and vulnerabilities.  This leaves them wide open to become victims of attacks like Trojans or ransomware.  Additionally, many healthcare organizations still use outdated computer operating systems or may not update them in a timely manner (2).  The use of operating systems, like Windows XP, that are no longer actively supported by their parent companies leaves the door wide open for attacks.

Why Does It Matter

The security risks for these types of devices can be posed in a variety of ways.  Most often, the attackers that exploit these devices do not do any direct harm to patients, although the potential has been shown to exist in a theoretical setting (1).  Instead, they use these devices to essentially hack into the internal network of the healthcare system.  From there, they are able to access personal health information (PHI).  This PHI is what identifies us as patients and typically includes sensitive information such as name, birthdate, address, phone number, insurance information, and medical conditions.  Attackers will steal that information and sell it to other criminals or hold it ransom to get money.

What Should I Do to Protect My Medical Devices?

So, what does this mean for you? If you own or wear a medical device that requires the use of a username and password, be sure to keep that information secure.  This means not sharing it with others, routinely changing the password, and taking care to use a very strong password to protect your information.  Strong passwords are those that have at least eight characters, a mix of uppercase and lowercase letters, and a number or symbol.  Also, the FDA provides regulatory oversight for these devices (3).  Writing to your Congresspeople to support laws that provide specific security requirements of device manufacturers will also help to regulate this industry and keep everyone safe.