The pacemaker itself is not a new piece of technology. Interfacing it with a network – including the publicly accessible Internet – is a relatively new concept and opens the door to potentially life-threatening security vulnerabilities. Recently, the newly developed Pacemaker Ecosystem, the technology framework for connecting next-gen Pacemakers to the Internet of Things (IoT) failed its cyber security check-up.
IoT Brings Major Security Challenges
The very concept behind the Internet of Things highlights the convenience of connecting device across a public facing Internet connection. The benefits of IoT connectivity are myriad. An IoT-enabled Pacemaker allow medical professionals to remotely monitor Pacemaker users, 24/7.
Potentially, the same healthcare professionals could remotely reconfigure a Pacemaker as well. But what happens if somebody other than the authorized healthcare specialist, without the necessary knowledge and expertise to manage pacemaker gains access of the IoT healthcare device? The implications of this are terrifying.
Transparency is a Potential Security Vulnerability
The Pacemaker Ecosystem failed its cyber security test due to the potential security vulnerabilities found within the integrated set of technologies that constitute the overall platform infrastructure.
Because of the open nature of IoT security protocols, it is possible to learn very quickly how the Pacemaker Ecosystem handles security. Since the platform uses standardized cryptography methods, finding security vulnerabilities is far easier, as compared to finding them in propriety cryptography methods.
Incorporating off-the-shelf, potentially vulnerable cryptography technology into a healthcare IoT device platform is not necessarily a great idea either. Many vendors of open technologies have a less-than-stellar reputation for promptly addressing security vulnerabilities.
Robust Cryptography is Necessary for Healthcare IoT Devices
Infrastructure security loopholes aside, the Pacemaker Ecosystem has been criticised for failing to leverage adequate encryption for data security.
Whilst governments around the world are moving toward restricting the strength of consumer grade encryption in favor of national security, there can be no valid reason for vendors not apply strong encryption to data and networks involved in maintaining a patient’s cardio functionality.
However, the Pacemaker Ecosystem failed to use top grade encryption, and furthermore, can potentially leak unencrypted data due to security vulnerabilities introduced by third-party vendor technologies involved.
Multiple Points of Failure
The security testing and subsequent failure of the Pacemaker Ecosystem was dramatic due to the sheer volume of potential security vulnerabilities uncovered. Across the entire software platform, over 8,000 potential security vulnerabilities were found in standard library functions alone. It was also found that certain private patient data was being stored in an entirely unencrypted fashion.
Although the concept of IoT-enabled medical devices promises great value propositions, the road to developing secure and reliable devices is going to be a long one, with many challenges to overcome. As such, strong encryption is the least fundamental security requirement.