Upping the Ante: Security in Mobile Health Care Devices

Posted on by John Linkous

You might wonder what mobile healthcare has to do with Stuxnet. A few years ago when the Stuxnet malware first hit, a client asked me to provide an overview of why it was different than the other malware that came before it. At the time, my first inclination was to do exactly that: write up a nice, brief assessment of how Stuxnet was the first tangible evidence of malware affecting "real world" stuff—in this case, things like programmable logic controllers (PLCs) used to control SCADA devices, centrifuges, and other energy production and distribution equipment. However, after putting together that document, I trashed it and started again because I realized something: When it comes to the incursion of malware into the physical world, Stuxnet was only the tip of the iceberg. The real damage will come when malware can directly impact the health of individual human beings.

Fast-forward to the present day, and one of the most popular subjects in the security world is the "Internet of Things":  the collection of appliances, home security equipment, and even automobiles that can be controlled through IP-based networks. Of course, when it comes to the potential damage that malware can cause in the Internet of things, the potential impact can vary widely. Yes, a malware incursion might have the potential to adjust the temperature in a "smart" refrigerator, raising the temperature to a point where the contents spoil. And yes, there is always the possibility—actually demonstrated at Black Hat 2011—of modifying a "smart" energy meter to adjust the results upward or downward, resulting in either a massive bill (presumably for someone you don't like) or no bill at all (for yourself).Even cars are susceptible, and proofs-of-concept have demonstrated that both the drivetrain and accessories can be taken over and controlled remotely through injected code. It makes one realize that all these "smart" devices in the Internet of Things are perhaps...uh...not so smart.

However, the potential of damage to the types of devices we commonly think of in the Internet of things is nothing compared to the possible consequences of these incursions in the world of healthcare. Healthcare is a unique industry: In a hospital environment, patients are often moved around continuously, from admissions to phlebotomy, to CAT/CT scans, inpatient rooms, and more. In these cases, each healthcare professional who comes in contact with the patient needs to know everything that has happened to the patient previously during her visit. This is a prime scenario for mobile healthcare devices because many hospitals, clinics, and other healthcare providers use advanced mobile healthcare devices to provide complete case management for patients.

Unfortunately, this also means these devices are ripe for exploitation. Mobile devices in healthcare are just like any other mobile device, including the smartphone that's probably by your side right now. They communicate on TCP/IP networks. They run known operating systems, often Windows or Linux. And just like any other computer attached to a network—albeit a wireless one—they have vulnerabilities that can potentially be exploited, leading to catastrophic consequences. Imagine for a moment the potential consequence of a mobile device (say, a tablet) that contains a patient's healthcare records being remotely compromised over a WiFi network, and the application containing the data breached. A potential attacker could do a lot of damage: changing recommended dosages of medicine, or even changing entire therapies. And, of course, mobile devices owned by healthcare facilities are not the only ones in the health care chain anymore: In many clinics, patients' mobile phones are used as a secondary form of authentication, requiring the owner to respond to attempts to verify who he says he is via one-time text passphrases. With this mix of institutional and individual mobile devices, the potential for a compromise is bigger than ever.

Fortunately, there are resources to help with this problem. Vendor-agnostic organizations such as HIMSS and HealthIT.gov provide plenty of resources for security practitioners to discover and mitigate threats to mobile health care, providing extensive information on security standards and controls, and entire sections of detailed information on how organizations can specifically address mobile device security. While every industry must worry about the possible consequences of data breaches, data integrity compromise, and other threats, in the world of health care it can quite literally be a life-or-death matter.

John Linkous

, Technology Advisor

critical infrastructure data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community