Experts at Kaspersky have discovered that the most popular wearable device data transfer protocol used for remote patient monitoring contained, in 2021 alone, 33 security vulnerabilities, including 18 critical ones. That's 10 more critical vulnerabilities than in 2020. Many of them are still unpatched. Some of these vulnerabilities allow attackers to intercept data sent from an online device.
The current pandemic has contributed to the rapid digitization of the healthcare sector. With overburdened medical staff and a large number of people in home quarantine, it has been necessary to look for new ways to deliver healthcare to patients. A recent survey by Kaspersky found that 91% of healthcare providers worldwide have implemented telemedicine. But this rapid transformation has brought new security risks, especially with regard to patient data.
Telemedicine involves remote patient monitoring, for which wearable devices are used. The category includes gadgets that track patient health indicators, such as heart activity, continuously or at specific intervals.
The most common protocol for transmitting data from sensors and wearable devices is MQTT. Because it is easy and convenient, it can be found not only in wearable devices, but also in almost every smart gadget. Unfortunately, when using theMQTT protocol, authentication is completely optional and rarely includes encryption. Because of this, MQTT is extremely susceptible to man-in-the-middle attacks, in which an attacker is able to position themselves between two sides of a communication, meaning that any data sent over the Internet can potentially be stolen. In the case of wearable devices, this could include highly sensitive medical data, personal information and even a person's movements.
Since 2014, 90 vulnerabilities, including critical ones, have been discovered in the security of the MQTT protocol, many of which remain unpatched to this day. In 2021, 33 new security vulnerabilities were detected, including 18 critical ones - 10 more than in 2020. All of these vulnerabilities pose a threat to patient data.
Kaspersky researchers found vulnerabilities not only in the MQTT protocol, but also in one of the most popular platforms for wearable devices: the Qualcomm Snapdragon Wearable. More than 400 security vulner abilities have been found in this platform since its launch . Not all of them have been patched.
It is worth noting that most wearable devices track both health data and the user's location and movement. This opens up the possibility of not only data theft, but also stalking.
As a result of the pandemic, the telemedicine market has seen explosive growth. The term telemedicine encompasses not only contact with a doctor via audio-video software, but a whole range of complex, rapidly evolving technologies and products, including specialized applications, devices, implantable sensors and cloud-based databases. Unfortunately, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in device and sensor security remain unpatched. To ensure the security of your company's and patients' data, you should get an idea of the security level of such devices before deploying them
- said Maria Namiestnikova of Kaspersky's Global Research and Analysis Team (GReAT).
The full report on security vulnerabilities in telemedicine devices is available at kaspersky.co.uk.
Kaspersky recommends the following steps for healthcare providers to ensure the security of patient data:
- Check the security of the application or device suggested by the hospital or medical facility.
- If possible, minimize the amount of data sent via telemedicine applications (e.g., do not allow the device to send location data if it is not needed).
- Change passwords from the default and use encryption if the device offers it.
The information can be used freely with the caveat that Kaspersky is cited as the source.