• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Healthcare   »   The Risks of Bio-IoT

The Risks of Bio-IoT

  • Posted on:April 25, 2018
  • Posted in:Healthcare, Internet of Things, Security
  • Posted by:
    William "Bill" Malik (CISA VP Infrastructure Strategies)
0
The typical enterprise has more than 500 applications in place.

Bio-IoT: Internet of Things applied to biological systems, such as pharmaceutical delivery systems, implanted medical devices, intelligent prosthetics, surgical assistants, and remote patient monitoring.

IoT 2.0, with ample processing resources and OSI-conformant networking, promises vast improvements in health care. A recent paper from the IEEE describes a bright future for medical IoT (The Internet of Things for Health Care: A Comprehensive Survey, S. M. R. Islam et al., Digital Object Identifier 10.1109/ACCESS.2015.2437951, June 4, 2015)

Without adequate information security, these devices will expose patients to dangerous vulnerabilities.

Former Vice President Dick Cheney disconnected his implanted pacemaker from the Internet for safety. This was prudent. While the internet connection gave his caregivers real-time information about his condition, it also opened an attack surface. Last fall, the FDA recalled 465,000 pacemakers having that precise vulnerability (https://www.engadget.com/2017/08/31/fda-pacemakers-abbott-hacking/).

IoT devices arose from industrial control systems (ICS). ICSs have two primary design criteria: safety and reliability. Safety means they leave the system stable when they fail, or while they are inactive. Reliability means they do not spew inaccurate or misleading information when faulty. Neither of these architectural constraints corresponds to any principle in information security.

A recent article ā€œSecuring Wireless Neurostimulatorsā€ from the ACM (In Proceedings of Eighth ACM Conference on Data and Application Security and Privacy, Tempe, AZ, USA, March 19–21, 2018 (CODASPY ’18), 12 pages. https://doi.org/10.1145/3176258.3176310 discusses an attack on implantable medical devices. The specific devices are placed in the patient’s brain. They provide a carefully targeted low-voltage electrical stimulation to manage chronic pain, and control movement disorders such as Parkinson’s. The paper warns:

ā€œIf strong security mechanisms are not in place, adversaries could send malicious commands to the neurostimulator in order to deliver undesired electrical signals to the patient’s brain. For example, adversaries could change the settings of the neurostimulator to increase the voltage of the signals that are continuously delivered to the patient’s brain. This could prevent the patient from speaking or moving, cause irreversible damage to his brain, or even worse, be life-threatening.ā€

Solving this problem requires information security. The primary functions of information security (from ISO 7498-2) are: identification, authorization, data confidentiality, data integrity, and non-repudiation. These functions require processing power, memory, and network bandwidth. In the paper, the authors propose an encryption mechanism that uses biological signals as a source for random numbers. Random numbers are useful to seed private key encryption. In this scenario, BioIot would exploit the patient’s own locally available information to help protect them.

A complete solution would use identification to screen out rogue signals, authentication to verify the sender’s permission to modify the device (with logging), data confidentiality to preserve the patient’s privacy, data integrity to guarantee the correctness of any unencrypted signals, and non-repudiation to validate the transmission and receipt of commands and responses.

Only by merging the primary architectural directives of Industrial Control Systems with those of Information Security can we fulfill BioIot’s promise. Hybrid, cross-domain development teams can deliver – with mature processes and collaboration.

Let me know what you think! Post your comments below, or follow me on Twitter: @WilliamMalikTMĀ .

Related posts:

  1. Understanding the Risks of the VTech Data Breach
  2. The Role That IT Security Teams Need to Play in Connected Hospitals
  3. Data Protection Risks of Using Pagers in Healthcare
  4. Revealing the True Cyber-Risks Facing Connected Healthcare Providers

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRNĀ® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.