By Matt Tryphona | Security Analyst at Nettitude
The Healthcare industry remains highly targeted by hackers due to the great deal of personal data that is used and handled on a day-to-day basis. One of the biggest cyber Risks within healthcare is IoT devices, as they can be used as a gateway for capturing sensitive data if not secured correctly.
When we think of an IoT device, you may think about smart-home devices, such as a smart plug, or smart bulb controlled from an app on your phone. We may even think of a ‘smart’ assistant controlled by our voice, which can do much more than just tell you the weather. The ‘smart’ assistants can act as an IoT hub that control our devices to provide a seamless futuristic experience.
It’s one thing for the security of devices in the home to be breached, but within a healthcare environment, this can have a detrimental knock on effect across the board in light of an increasing variety and severity of healthcare cyber threats. Below we’ll take a look at what IoT is, how it’s used within the healthcare industry, and how a security breach could impact the industry.
Current position of IoT technology
There are now billions of IoT devices around the world that are able to connect to the Internet with the evolution of cheap computing. It is now possible to turn everyday household items into IoT ‘smart’ devices. This control that we now have of our electrical devices has transformed the way we live. We are able to collect data, analyse it and automate a reaction.
The Internet is now made up of devices able to connect to each other with the ability of automating actions for particular tasks. Home automation allows an ecosystem of ‘smart’ devices to control your home or business from anywhere in the world. This recent growth of IoT has caused a serious concern for the privacy and security of personal data, even more so with the rise of employees needing to work from home due to COVID-19. It was reported that 92% of companies believe that IoT will be important to their business by 2020 according to DigiCert’s 2018 ‘State of IoT Security Report Survey’.
IoT Cyber Threats in Healthcare
A collection of medical devices connected to the computer network are known as, IoMT (Internet of Medical Things). These devices are revolutionising the healthcare industry; also known as ‘Smart Healthcare’. They provide better care for patients with improved monitoring, automation and efficiency. There is also the benefit of lowered costs with the ability to remotely monitor patients.
However, with the known lack of security controls within the Healthcare sector, this poses a bigger risk to the confidential data that is handled and collected by hospitals, increasing the potential of security breaches.
Smart devices will allow interconnected sensors to communicate with the Healthcare’s IT infrastructure to collect data. Some popular examples of IoMT and IoT devices are:
- Wearable technology: For fitness tracking, pacemakers, heart rate and fall detection monitors.
- Vitals monitoring: Such as clinical grade temperature and respiratory rate sensors, also used for patients that have left hospital and still require care.
- Blood pressure and heart rate monitors: Capable of monitoring pacemakers and implants.
- Wireless technology: MRI and ECG machines capable of sending data over the air.
- Blood monitoring: For diabetic patients, able to alert the patient and doctor of sugar levels.
- RFID chips: For asset management, re-ordering of products.
- Physical access controls: Such as smart card building access and security camera systems.
- Smart beds: Able to identify the number of occupied beds and movement of patient.
These devices and specialised sensors are able to centralise the collection of data and provide a central system to allow doctors and patients to access their personal health records.
An example for diabetic patients is glucose monitoring systems, which utilise a sensor on the body and a mobile app on a mobile phone. The sensor is able to monitor the glucose concentration and the data will show the user whether insulin or sugar is required to stabilise the readings. The data is transmitted to the phone via Bluetooth and can display a trend graph from the collected data. This effective solution has provided peace of mind for its users.
There are even some private healthcare organisations that will collect personal health data using a smart watch. The company will provide the user with a free watch under the condition that they are able to monitor the fitness levels of the individual, which would therefore influence the insurance premium and encourage the customer to exercise frequently.
How IoT impacts the Healthcare industry?
Treating patients and saving lives is the biggest priority within the healthcare industry and by using smarter devices that are able to improve the workflow and efficiency is critical to saving lives.
However, with the positives of the revolutionary devices with lowered costs, the security risks are now greater due to the larger attack surface. Hospitals are well known for their outdated systems and lack of some basic Cyber Security controls.
Some well-known Cyber Security risks within the industry:
- Lack of network segmentation
- Insufficient access controls
- Mixed use of legacy/outdated systems
- Use of BYOD (bring your own device) for patients
- Hard-coded firmware passwords (common default credentials)
What are the impacts?
Lack of updates to IoT devices - Some IoT devices do not have the ability to update themselves automatically. With unpatched devices on the network, this increases the risk of potential malware and the opportunity for botnets to exploit any vulnerable devices, with the potential of performing a DDoS (Distributed Denial-of-Service) attack.
Joined Network traffic -
Many computer networks are not isolating network traffic between subnets, the lack of segmentation and use of strict access controls increases the overall risk/attack surface for an attacker.
Physical Harm -
IoT devices in a hospital can pose a significant threat in comparison to consumer devices as an exploited vulnerability could lead toward physical harm to a patient.
Remote Access -
Many IoT devices have their own proprietary remote management standards that allow either remote access to control, or remote access to monitor with little detail published on the security standards, update policies or methods they use to facilitate that. Amazon, Google and other IoT manufacturing companies have acknowledged this issue and have teamed together to standardise protocols and certification standards for their IoT products.
How can Healthcare IoT Security be Improved?
- Security awareness: Implement mandatory training to ensure that employees understand the cyber risks and the process of reporting a security incident.
- Logging and monitoring of network: DPI (deep packet inspection) enabled devices to understand the direction of traffic, protocols, destinations and location. IPS devices to detect/block common brute-force attacks and exploitation.
- Use of VLANs and isolated networks: Isolating hosts that do not need access to other subnets or even the Internet to prevent the risks of pivoting inside a network.
- Air gapped devices/network: Any legacy equipment should not be connected to a computer network that could lead to access to the critical infrastructure. Use of a closed network with no outside connectivity will provide an air gapped environment.
- Inventory of devices: All devices will need to go through a risk assessment to determine how its functionality could impact the network. Ensuring that there is a complete list of all assets will allow a complete visibility of the network.
- Use devices that meet certified IoT standards: Standards currently being developed to focus on compatibility and security of IoT, ‘Project Connected Home over IP’.
What does this mean?
The ‘Smart Healthcare’ ecosystem is already improving the healthcare industry by allowing medical professionals to improve the care provided for their patients. However, the speed at which these devices are rolled out to secure/sensitive environments often leaves gaps in security, increased attack surfaces for healthcare cyber threats, additional devices for security teams to monitor, assure and protect, as well as the devices themselves often being created with cost being the priority as opposed to security. Not to mention the wide array of differences in standards, patch lifecycles, and after sale support.
Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021. As IoT devices grow, cyber risks will also increase with the rise in IoT-related network traffic; especially for organisations interested in investing in new cost saving devices technology.