Kaspersky: Many wearable and healthcare devices are vulnerable to attacks due to a vulnerable data transfer protocol
Security analysts have found 33 weak points in MMQT, a frequently used protocol that rarely involves authentication or encryption.
Kaspersky security researchers announced this week that a popular data transfer protocol used by healthcare devices is riddled with critical vulnerabilities. Researchers identified 33 vulnerabilities in 2021, which is an increase from issues detected in 2020. Kaspersky reported that 90 vulnerabilities have been identified since 2014. This total includes critical vulnerabilities that remain unpatched, according to the to analyse.
Researchers also discovered vulnerabilities in the Qualcomm Snapdragon Wearable platform, which is also used in many wearable health trackers.
The MMQT protocol is often used in devices used for remote patient monitoring. These devices continuously or intermittently record heart activity and other health parameters. The problem with MMQT is that authentication is “completely optional and rarely includes encryption,” according to Kaspersky. This makes the protocol “highly susceptible to man-in-the-middle attacks” and puts a person’s medical data, personal information, and potentially location at risk of theft.
Maria Namestnikova, head of Russia’s global research and analytics team at Kaspersky, said in a press release that telehealth services extend far beyond video calls.
“We’re talking about a whole range of complex and rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors and cloud-based databases,” she said. “However, many hospitals still use untested third-party services to store patient data, and vulnerabilities in wearable devices and healthcare sensors remain open.”
Kaspersky recommends that healthcare providers take these steps to ensure the security of patient data:
- Verify the safety of the app or device offered by the hospital or medical organization
- Minimize data transferred by telehealth apps if possible (e.g. don’t let the device send location data if it’s not needed)
- Change default passwords and use encryption if the device offers it
SEE: How Moderna is using the cloud and data conflicts to conquer COVID-19
Additional research from the Kaspersky Healthcare 2021 report found that doctors and nurses are concerned about data security, potential HIPAA violations, and even misdiagnoses due to poor quality video.
The report focused on telehealth, but also included questions about the overall impact of technology on healthcare. About half of telehealth providers reported having patients who declined to participate in a video visit due to privacy and data security concerns. Healthcare providers are also concerned, with 81% citing concerns about how patient data from telehealth sessions will be used and shared. Health care providers are also concerned that personal penalties could result from data leakage during remote consultation. Additionally, 34% of remote telehealth providers said that one or more clinicians in their company misdiagnosed due to poor video or photo quality.
Data loss isn’t the only cybersecurity issue facing hospitals. A study by security firm Armis found that 85% of companies in the healthcare industry have seen an increase in cyber risk over the past year. Fifty-eight percent of IT professionals in this industry said their organizations had been hit by a ransomware attack. This research is based on an October 2021 survey conducted by Censuswide of 400 IT professionals working in healthcare facilities in the United States as well as 2,030 general and patient respondents.
Ransomware is usually preceded by some type of network security breach, and 52% of respondents cited data breaches as the threat of most concern. Some 23% were most concerned about attacks on hospital operations, while 13% were themselves concerned about ransomware attacks.
On the positive side, healthcare providers have strengthened their defenses in response to these attacks, with 75% of respondents saying recent attacks have strongly influenced their security decisions.