Med tech is an increasing part of healthcare. And with it comes the need for medical cybersecurity. But healthcare and cybersecurity don’t always mesh as seamlessly as they might, with hi tech medicine sometimes falling short of the standards we’d like for cyber security in healthcare. Here, Celeste Fralick, Senior Principal Engineer and Chief Data Scientist at internet security company McAfee tells us about her experience of medical security and her thoughts on how it could be improved.
“In 2015, a plastic surgeon took topless photos of me. I was going through breast cancer, and it’s something they do to help with reconstructive surgery after you’ve had a mastectomy. They photograph you from the waist up, from the front, and from the side. They do it before the surgery, and they do it afterwards. And in both cases, the doctor did it on their personal smartphone.
The first time was a few months before I started working in cybersecurity. But by the second photo, I had been with McAfee for a few months and so I was much more attuned to security. As she photographed me, it dawned on me that there was probably little or no security on her smartphone.
So I asked: ‘Is there any security on that? And hopefully this picture is from the chin down?’
She just goes: ‘Oh, don’t worry about it.’
I thought: ‘I’m gonna worry about it.’
We assume that computers in medical establishments are generally protected by something like Norton or McAfee. But if smartphones are being used to process patients’ important medical data, then security on them is just as important. And if it’s connecting to a wifi network, then the router it’s using also needs to be protected. Otherwise, your medical records are not secure.
The doctor told me that she used an app on her phone to take the picture. But I don’t know whether that app has security or not. I asked her what she did with the photo, but she said: “Oh, we download it to our files”. And that doesn’t make me feel any better either! Now, not only is it on her phone, but it’s in her files too!
Will her phone be hacked? Will the app be hacked? Will the doctor’s office be hacked? It just goes on ad nauseam for every location where those photos have been. The more we talk about it, the more concerned I get!
One of the things that McAfee did is to look at Vital Signs Monitors – those machines that monitor your heartrate, your oxygen levels, your vitals. We were able to access the information on that machine, as well as the nurses’ station and we were able to actually change the data. This is the risk of what can happen with insufficient cybersecurity for medical devices and hospital networks – and I fear that at the moment, we just don’t know whether they are or not.
The same goes for wearable and implantable medical devices’ security. I have a fairly benign, genetic condition called essential tremor and one of the ways to treat it is for them to implant a neuro-stimulator in your brain. But due to their hackability, I really don’t want one.
I’ve seen it demonstrated in real-time at Intel, where the Insulin wearer had an implantable insulin machine. He stood onstage, in front of us and he literally hacked into his device. There have been many documentations of access into implantables. Without the right security, bad actors can take control of them.
What’s more, the cybersecurity of medical devices is only ever as good as the router they’re connected to. If you don’t have security on your router, I could drive by and hack into it – and then I can access your wearable health device. A group of us from McAfee literally walked into a restaurant and within five minutes, my colleagues had used their cellphones to break into the security system of the restaurant, simply because they hadn’t changed the default password and username on the router. If a wearable health device is connected to a wifi network with that level of security, it’s extremely easy to hack into.
You know what I’m most concerned about, though? The DNA that we spit into a tube for ancestry websites or for medical sites that analyse it to tell you about conditions you’re genetically predisposed to.
What is happening with all that DNA? How are those records being protected? Is that information vulnerable to being hacked? Bad actors are constantly trying to hack companies, some of which will have your DNA or medical records. There are something like 833 hacks a minute across the globe, with ransomware utilised against companies around every 11 seconds. If hackers have managed to hack email companies and sell the passwords on the dark web, what’s to say they won’t do the same with information on your DNA?
Some of those sites have huge amounts of information on your genetic predisposition to medical conditions. If that information gets out there, that could have a huge effect on the course of your life. Would companies not insure you? Might other companies not employ you? It’s something that needs to have a lot of security around it.
Security is something that is increasingly being taken seriously. But we need to see more standards being enforced and them being embraced by governments and the community at large. It’s also really up to you and I to be good stewards of our data. The first thing I would recommend is to not share data that isn’t necessary.
I had an appointment the other day and they said: ‘What’s your social security number?’, and so I said: ‘Why do you need it?’.
She was like: ‘What? Nobody ever asks that question! They just give me the information!’
When you fill out paperwork at a doctor’s office that’s full of your personal information, what are they going to do with it? I’ve had places that just toss it into the garbage, so now I say: ‘Show me the shredder. Show me that you’re compliant with data regulations.’
If you want to make sure your data is being kept safe, there are three things to do: Know where your data is, know where it’s going and make sure it’s protected.”