Kaspersky: Wearable medical devices vulnerable to DTP attack
Kaspersky: Wearable medical devices vulnerable to DTP attack
Security analysts have found 33 vulnerabilities in MMQT, a frequently used protocol that rarely includes authentication or encryption.
Kaspersky security researchers have announced that a common data transfer protocol used by medical devices is riddled with security vulnerabilities. They identified 33 vulnerabilities in 2021, which is an increase compared to the issues discovered in 2020.
Check also:
Kaspersky also announced that 90 vulnerabilities have been identified since 2014. This total includes critical vulnerabilities that, according to the analysis, have not yet been patched. It seems to be simply ignored by manufacturers and suppliers.
The researchers also found flaws in the Qualcomm Snapdragon wearable platform, which is used in many wearables.
The MMQT protocol is often used in remote patient monitors. These devices record heart activity and other health indicators continuously or intermittently. The problem with MMQT is that authentication is “completely optional,” according to Kasperski, and rarely involves encryption. This makes the protocol “highly vulnerable to man-in-the-middle attacks” and puts a person’s medical data, personal data, and potential location at risk of theft.
Telehealth services go beyond video calls, said Maria Namestnikova, head of the global Russia research and analysis team at Kaspersky. “We’re talking about a whole range of complex and rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors and cloud databases,” she said. “However, many hospitals still rely on untested third-party services to store patient data, and vulnerabilities in healthcare wearables and sensors remain open.”
Kaspersky recommends that healthcare providers take the following steps to keep patient data safe:
- Check the security of the app or device suggested by the hospital or medical organization
- Limit the data sent by remote healthcare apps if possible (eg, don’t allow the device to send location data if it’s not needed)
- Change your passwords from the default and use encryption if your device provides it
Additional research from the Kaspersky Healthcare 2021 Report finds that doctors and nurses are concerned about data security, potential HIPAA violations, and even misdiagnosis due to poor video quality.
The report focused on telehealth, but it also raised questions about the technology’s overall impact on healthcare. About half of telehealth providers say they have patients who refused to join a video visit due to privacy and data security concerns. Healthcare providers are also concerned, with 81% citing concerns about how patient data from telehealth sessions are used and shared.
Providers are also concerned that personal penalties may arise as a result of data leaks during remote consultation. In addition, 34% of telehealth providers said one or more doctors at their company misdiagnosed due to poor video or image quality.
Data loss is not the only cybersecurity problem that hospitals face. A study by security firm Armis found that 85% of healthcare companies have seen an increase in Internet risk over the past year. Up to 58% of IT professionals in this sector say their organizations have been affected by ransomware. This study is based on a survey conducted in October 2021 by Censuswide among 400 IT professionals working in health care organizations in the United States and 2,030 general and patient respondents.