Security analysts found 33 weak points in MMQT, a frequently used protocol that rarely involves authentication or encryption.
Kaspersky security researchers announced this week that a popular data transfer protocol used by healthcare devices is full of critical vulnerabilities. Researchers identified 33 weaknesses in 2021, which is an increase over problems found in 2020. Kaspersky reported that 90 vulnerabilities have been identified since 2014. That total includes critical vulnerabilities that are still unpatched, according to the analysis.
Researchers also found vulnerabilities in the Qualcomm Snapdragon Wearable platform, which is also used in many wearable health trackers.
The MMQT protocol is often used in devices used for remote patient monitoring. These devices record continuously or intermittently heart activity and other health metrics. The problem with the MMQT is that authentication is “completely optional and rarely includes encryption,” according to Kaspersky. This makes the protocol “highly susceptible to man-in-the-middle attacks ” and puts medical data, personal information and potentially a person’s location at risk for theft.
Maria Namestnikova, head of the Russian Global Research and Analysis Team at Kaspersky, said in a press release that telehealth services extend well beyond video calls.
“We’re talking about a whole range of complex, rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors and cloud-based databases,” she said. “However, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open.”
Kaspersky recommends that healthcare providers take these steps to keep patient data safe:
- Check the security of the application or device suggested by the hospital or medical organization
- Minimize the data transferred by telehealth apps if possible (e.g. don’t let the device send the location data if it’s not needed)
- Change passwords from default ones and use encryption if the device offers it
Additional research from the Kaspersky Healthcare report 2021 found that doctors and nurses are concerned about data security, potential HIPAA violations and even misdiagnosis due to poor quality video.
The report’s focus was telehealth but included questions about the overall impact of technology on healthcare as well. About half of telehealth providers said they had patients who refused to join a video visit due to privacy and data security worries. Healthcare providers are also concerned, with 81% citing concerns about how patient data from telehealth sessions will be used and shared. Healthcare providers also worry that personal penalties might result from data leakage during a remote consultation. Also, 34% of remote telehealth providers said that one or more clinicians in their companies have made a wrong diagnosis because of poor video or photo quality.
Data loss is not the only cybersecurity problem hospitals face. Research from the security firm Armis found that 85% of the healthcare companies have seen an increase in cyber risk over the past year. Fifty-eight percent of the IT pros in this sector said their organizations have been hit with a ransomware attack. This research is based on an October 2021 survey conducted by Censuswide of 400 IT professionals working in healthcare institutions across the U.S. as well as 2,030 general respondents and patients.
Ransomware is usually preceded by some type of network security breach, and 52% of survey respondents cited data breaches as the most concerning threat. Some 23% were most concerned about attacks on hospital operations, while 13% were worried about ransomware attacks themselves.
On the plus side, healthcare providers have shored up their defenses in response to these attacks with 75% of respondents stating that recent attacks have strongly influenced their security decisions.