Healthcare devices: a mixed bag of capabilities and cyber risk
When you hear, “healthcare-related IoT devices,” what comes to mind? Most people would think of always-on pacemakers, insulin pumps, or heart monitors. Tech-savvy folks, however, might think of something a bit more sinister. Think of cyber-attack entry points into a healthcare organization network, healthcare networks stopped by a botnet, or multi-stage data breaches.
Unfortunately, devices that help deliver reliable, high-quality healthcare in the short term have cyber security vulnerabilities. These open doors to malicious actors and pose long-term risks for hospitals and patients.
Cybercrooks follow the money
With IoT medical devices, medical caregivers don’t rely on the occasional blood pressure or heart rate reading. Connected devices inside the hospital and wireless devices implanted on or carried by patients provide a constant stream of diagnostic information. Unfortunately, these devices also give cybercriminals an attack platform.
High-value opportunities provide a tasty treat for criminals
What’s happening? Malicious actors are developing a taste for easy pickings. Cybercrooks are fast and creative in their ability to design and deliver innovative ransomware and malware attacks. Healthcare organizations however, are the slowest industry to upgrade to modern operating systems such as Microsoft Windows 10. Many hospitals, clinics, and private practices run aging, vulnerable operating systems and apps that provide a “come on in!” to attackers.
IoT device cyberthreats
Most IoT medical devices are vulnerable to cyber-attacks because they lack built-in security. Many IoT devices provide little opportunity to patch or upgrade their security software. And often, IoT devices are overlooked and not controlled by the IT staff. Devices can remain unpatched for years and provide an easy entry point for cybercriminals.
IoT device-based attacks pose several threats to healthcare organization security:
- Data breaches (theft). Criminals breach organizations in the hopes of stealing medical records and then selling them on the black web. In this scenario, IoT devices can be used to steal a patient’s personal or medical data. This information can be anything collected by, stored on, processed by, or transmitted to or from IoT devices.
- Ransomware (extortion): In the simpler form of ransomware, malicious actors break into a network via IoT devices, take control of its resources and demand payment before giving the resources back. Extortionists can run a ransomware attack by threatening to turn vital devices or services on or off. Surveys show that some businesses spend up to $50,000 to get their resources returned. The ransomware threat is growing. According to Dimension Data, global ransomware attack frequency rose by 350 percent in 2017 compared to the previous year.
More sophisticated cybercriminals rely on ransomware as a distraction for larger, multi-stage campaigns. The strategy: while the security team handles the ransomware attack, the hackers use malware to steal data elsewhere on the network.
- DDoS Attacks (block availability of services, data).In this exploit, criminals make healthcare systems and their data unavailable to caregivers by overwhelming the network with junk traffic. Easy entry via IoT devices makes this exploit a common healthcare security problem.
- Weaponization of medical devices (potential cyberterrorism): In this scenario, malicious actors take unauthorized control over medical devices by turning them on or off. There’s still no record of this threat harming patients. However, botnet technology, sophisticated command and control scripts used by botmasters, and vulnerable devices are all “available” for this type of exploit.
Healthcare is unique because the impact that poor device security has on medical practice.
What’s at stake with healthcare device security?
Usually, when analysts ask, “What impact does [a new technology or trend] have on an organization?” the answer stays close to business 101 concepts: lower costs, greater productivity, or better business opportunities. When we step into the healthcare realm, however, the discussion is completely different. That’s because in healthcare, poorly secured devices risk:
- Patient health and safety. Connected and implanted medical devices include cardiac pacemakers, insulin pumps, defibrillators, blood sugar monitors, blood pressure measurement devices … the list is long. These are the devices that patients depend on for an accurate diagnosis as well as life-giving treatment and data monitoring services. Secure IoT devices deliver dependable functions that keep patients alive and well. Insecure devices that can’t be depended on, can affect…
- Patients’ opinion of healthcare quality. Patients’ opinions about how well healthcare “works” depends on how well medical technology devices operate and whether healthcare providers keep their data private and secure. A 2017 Accenture study indicates that data breaches send disgruntled patients to the exit and toward other healthcare providers.
- Uninterrupted flow of medical information. Running healthcare facilities involves a lot more than just keeping the lights on. Keeping all connected patient information available and up-to-date is a vital part of medical diagnoses and treatment plans. Network downtime or a data breach is all it takes to bring modern medicine to a screeching halt.
- Trouble with the law, and maybe fines. The healthcare industry is highly regulated. HIPPA laws levy fines on healthcare organizations that lose control of their patients’ personal and medical data.
Keeping malicious actors at bay
There’s no silver bullet that improves IoT device security. However, recommendations developed in the US and United Kingdom start with the principle of networks being ‘secure by default.’ Their ideal IoT security solution includes products or best practices that help monitor data loss, detect IoT exploits, and provide a detailed inventory of all devices in all repositories throughout a network.
Operating networks with IoT medical devices without a proven products or experienced guidance is flying by the seat of your pants. If you’re feeling lucky, you might beat the odds and avoid IoT device disaster. Question is—are you feeling lucky today?