Health systems can prevent the hacking of electronics in the “cold chain” that keeps items like COVID-19 vaccines ultra-cold during storage and transport, say researchers.
A major health system commissioned the study, which finds that an attacker located near equipment like freezers and coolers could use electromagnetic interference generated by simple devices like walkie-talkies to fool temperature sensors into giving false readings.
The interference could cause a cooler’s temperature monitor to falsely indicate that the vaccine inside has become too warm to use, or it could cause a freezer to malfunction and spoil its contents.
The good news is there are simple steps that hospitals and health systems can take to protect themselves. Kevin Fu, then associate professor of electrical engineering and computer science at the University of Michigan, led the study. Fu later joined the FDA as acting director of medical device cybersecurity. He recommends the following five steps:
1. Restrict access to data like temperature displays
A potential attacker might try to devise a hack using trial and error—trying several different types of electromagnetic interference (EMI), such as radio waves from walkie-talkies, while watching temperature displays or other data to see which type of interference is effective.
- Health systems can protect against this kind of attacker by making data points like temperature readouts less visible. This could be done by:
- Installing blinders on temperature displays, similar to those on ATMs and voting machines.
- Eliminating real-time temperature displays when possible.
- Moving displays to make them less visible—for example, turning a display so it can’t be seen through a room’s doorway.
- Restricting access to areas where temperature displays are located.
2. Keep the details about your sensors confidential
If a prospective attacker knows which sensors you use, they could buy an identical model, then work out the details of an attack off-site. Health systems can reduce the likelihood of this by keeping model numbers and other details about the temperature sensors in equipment like coolers and freezers confidential.
3. Keep the locations of your sensors confidential, and move them frequently
To successfully carry out an attack, a hacker must put an EMI device within a certain distance of the targeted equipment. There are a number of ways that health systems can make that more difficult. They include:
- Keep the locations of cold chain equipment confidential.
- Frequently moving equipment to different locations.
- Moving equipment toward the center of the rooms where they’re stored. This makes it more difficult to carry out an attack from an adjoining room.
4. Select the lowest possible sensor sampling rate
Temperature sensors take measurements at pre-set sampling rates—for example, once every five minutes. And a sensor with a lower sampling rate provides less data that a hacker could use to carry out an attack.
With this in mind, it makes sense to select a sensor with the lowest sampling rate necessary for keeping vaccines and other ultra-cold items safe. Some sensors have adjustable sampling rates, and it’s smart to adjust them to the lowest sampling rate necessary for keeping items safe.
5. Use a sensor that’s less susceptible to electromagnetic energy
Depending on specific application, it may be possible to use a sensor that’s less susceptible to interference than a traditional thermocouple, like an on-chip integrated temperature sensor or a chemical-based temperature indicator.
However, most of these types of sensors can’t operate at temperatures below -40 degrees Celsius, so it’s critical to carefully match sensors to specific applications.
An article on these recommendations appears in AAMI Biomedical Instrumentation & Technology. The research had support from the National Science Foundation, the Japan Society for the Promotion of Science, and Facebook.
Other researchers on the project are from the University of Florida and the University of Electro-Communications in Japan.
This article was originally published in Futurity. It has been republished under the Attribution 4.0 International license.