Internet-of-Things Medical Devices Increasingly Vulnerable to Hacking


September 9, 2020

The production and use of Internet-of-Things (IoT) medical devices has rapidly expanded during the previous few years. These IoT medical devices, which include hardware and sensors that gather, store, and transmit healthcare data and confidential patient information over the Internet, also have become increasingly attractive to cybercriminals.

In an article published on SecurityIntelligence.com, IBM’s X-Force Red hacking team reported that the EHS8 module manufactured by the French company Thales is among the most vulnerable of “mini circuit boards” that enable mobile communication in IoT devices running Java code. By taking advantage of the flaws in the EHS8 module, hackers could easily attack and compromise billions of devices, including those for industrial, commercial, and medical uses.

The report focused on the Thales Cinterion EHS8 M2M modules for industrial IoT machines that operate in factories, the energy sector, and in medical devices designed to create secure communication channels over 3G and 4G networks. Several reports indicated that Thales has been working with IBM since it discovered the vulnerability in September 2019. The company has released a security “patch” for the affected devices, including Thales’ BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62 modules.

According to CI Security, six kinds of medical devices are at special and increasing risk:

  • Infusion and insulin pumps. Health professionals could lose control of infusions as a result of hacks.
  • Smart pens. Smart pens could be used as entry points to patient data.
  • Implantable cardiac devices. Hackers could shut down pacemakers.
  • Wireless vitals monitors. Data on heart rate and blood glucose levels could be altered.
  • Thermometers and temperature sensors. Hacking could alter refrigeration and air filter systems.
  • Security cameras. Cameras could be used to compromise patient data.

Although medical device cybersecurity is a major concern of the Food and Drug Administration (FDA), the onus remains on manufacturers. In a November 2019 posting on the FDA’s website, titled “Balancing Patient Engagement and Awareness with Medical Device Cybersecurity,” the agency reported that nine safety communications related to cybersecurity and medical devices have been issued since 2013. Further, the FDA has strengthened its relationships with cybersecurity experts and device manufacturers to “ensure medical devices are developed with cyber safety and risk management ‘baked’ into the process.”

The FDA stated that its vision was to have “the medical device community take bold action to transform medical devices from brittle to resilient” so that “every device would meet a security baseline” and be easily updatable.