Kaspersky experts last year found 33 vulnerabilities in the most commonly used protocol for transmission of mobile health devices used for remote patient monitoring [1]. Qualcomm Snapdragon also affected.
18 vulnerabilities are critical vulnerabilities. That's 10 more than in 2020, many of them still unresolved. Some of these vulnerabilities allow attackers to intercept data being sent online from the device.
Increase in vulnerabilities in 2021
The ongoing pandemic has led to rapid digitization of the healthcare sector. With hospitals and caregivers overwhelmed and many people quarantined at home, organizations are being forced to rethink the way patients are cared for. According to a recent Kaspersky study [2], 92,7 percent of healthcare providers in Europe have implemented telemedicine functions. However, this rapid digitization has brought new security risks, especially when it comes to patient data.
Telemedicine also includes the remote monitoring of patients, which is carried out using portable devices and monitors. These monitor the health indicators of patients, such as heart activity, continuously or at intervals.
MQTT protocol does not provide secure data transmission
The MQTT protocol is the most widely used protocol for transferring data from wearable devices and sensors because of its ease of use. That is why it is found not only in wearable devices but also in almost all other smart gadgets. However, authentication when using MQTT is entirely optional and rarely includes encryption. This makes MQTT very vulnerable to man-in-the-middle attacks, where attackers can inject themselves during communication between two parties. As a result, all data transmitted over the Internet could potentially be stolen. However, with wearable devices, the information processed and sent can include highly sensitive medical data, personal information and even a person's movements.
Since 2014, 90 vulnerabilities have been discovered in MQTT, including critical ones, many of which have not been fixed to date. 2021 new vulnerabilities were discovered in 33, including 18 critical ones - 10 more than in 2020.
Qualcomm Snapdragon wearable platform with vulnerabilities
Kaspersky experts found vulnerabilities not only in the MQTT protocol, but also in one of the most popular platforms for wearable devices: Qualcomm Snapdragon wearable platform. Since its inception, more than 400 vulnerabilities have been identified, not all of which have been patched - including some dating back to 2020.
Most wearable devices record user health data as well as location and movements. This allows not only data theft, but also stalking. dr Peter Zeggel, founder and managing director of the German telemedicine company arztkonsultation ak GmbH, comments: “Data security is a basic requirement for the further establishment of telemedicine. This is a shared responsibility. Legislators, providers and users of telemedicine must all work towards greater security. Everyone involved can make a contribution!”
“The pandemic has led to strong growth in the telemedicine market, and it's not just about communicating with the doctor via video software. It affects a whole range of complex, rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors and cloud-based databases,” comments Maria Namestnikova, head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky. “However, many hospitals still use unverified third-party services to store patient data, and vulnerabilities in wearable healthcare devices and sensors remain open. However, before such devices are used, companies should find out as much as possible about their security level in order to protect their own data and that of patients.”
Kaspersky tips for healthcare providers to protect patient data
Check all applications and devices that are used in the hospital or medical facility for their safety. Keep the data transmitted by telemedicine apps to a minimum. For example, the location transmission should be deactivated if it is not required.
Always change all default passwords and use encryption if the device in question supports it.
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/
[1] https://securelist.com/telehealth-report-2020-2021/105642/
[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/22125239/Kaspersky_Healthcare-report-2021_eng.pdf