IoT security is still a big issue in the healthcare sector. 82% of hospitals have experienced cyberattacks of some sort after implementing connected devices. A recent survey by PwC doesn't add more optimism to the situation. It shows that only 37% of healthcare executives are "very confident" in their security and privacy processes.
However, this state of affairs doesn't stop hospitals from acquiring more internet of things healthcare devices. The global medical IoT market was valued at $72.5 billion in 2020 and is expected to grow to $188.2 billion in 2025. It’s time for healthcare organizations to realize that constantly adding connected devices without proper security protocols will do more harm than good. If you are falling behind in your security initiatives, it is best to turn to professionals and benefit from their cybersecurity services. But before you do, check our 5-step approach to medical IoT security to see what to focus on.
The State of Medical IoT Device Security
As mentioned above, cyberattacks in healthcare are commonplace. Hackers generally target patient records. On the black market, healthcare data is valued at up to $250 per record. The next most valuable entry on the list is credit card details, which are valued at just $5.40.
If attackers succeed in breaching a medical IoT device, they can violate patients' privacy and ruin the clinic's reputation. Such attacks cost hospitals significant sums in regulatory fines. The average cost of resolving a connected medical device's cyberattack is a whopping $346,205. Out of all industries, only logistics and transportation would pay more.
Up to the day of writing this article, there is no evidence of hackers causing physical harm to patients through medical IoT. However, there is proof that this is possible. At the 2018 Black Hat Cyber Security Conference, participants revealed significant flaws in connected devices. For example, Billy Rios and Jonathan Butts demonstrated how attackers could control a Medtronic pacemaker and administer life-threatening shocks to patients.
What Makes Medical IoT Devices Vulnerable?
When it comes to healthcare IoT security, the sector faces several unique challenges.
According to research, by January 2020, 70% of healthcare devices, such as MRIs and ultrasound machines, ran an unsupported version of Windows. Such operating systems don't install security updates leaving the devices vulnerable to cyberattacks. This weakness was exposed back in 2017 when the WannaCry ransomware attack struck over 300,000 devices. Later, analyses revealed these machines didn't have up-to-date security patches installed, which made this large-scale attack possible.
Another factor contributing to legacy systems’ vulnerability is that some healthcare facilities don't replace multimillion-dollar equipment until it is fully depreciated. These machines don't receive over-the-air updates and do not utilize secure communication protocols.
Lack of coordination between IT and OT
Operational Technology (OT) professionals sometimes ignore security concerns and procure devices without having them tested by their IT colleagues. The same goes for IT professionals, who don't always consider how their security measures may halt operations.
Compliance and certification
Compliance, even though well-intentioned, can also present a hurdle. When hospitals want to upgrade their devices' OS, they must retest all the impacted machines and certify them again.
Absence of an up-to-date inventory of IoT devices
A mid-size healthcare organization may have thousands of connected medical devices. This would require a hospital manager to keep an inventory of all IoT devices to determine where they are located and who is authorized to access them.
Also, devices from different IoT vendors may have diverse communication protocols, each with its own characteristics. Misunderstanding such protocols will lead to vulnerabilities.
How does the Pandemic Influence IoMT?
The pandemic has affected cybersecurity overall. The FBI reports that cyberattacks have increased by 300% since the coronavirus struck.
"Attacks are getting more sophisticated. [451 Research has] definitely seen a sharp uptick in attacks on medical devices during COVID-19. We've seen an increase in attacks on IoT devices in general, but especially in the healthcare sector", says Christian Renaud, Research Director of IoT with 451 Research, part of S&P Global Market Intelligence.
The healthcare industry already struggled to secure medical IoT devices before the pandemic. During the COVID-19 surge, healthcare providers rely on IoMT for remote patient monitoring and telehealth even more frequently. Patients access IoT devices over their personal networks, pushing healthcare providers out of the security equation.
Furthermore, during the pandemic, healthcare clinics are understaffed and face immense pressure to deliver care promptly. Strict cybersecurity regulations can slow down hospital operations, creating a conflict of interest.
Finally, to cope with COVID, healthcare providers set up quarantine units and field hospitals, which further increases the possibility of cyberattacks.
Connected Medical Devices that Can Fall Victim to Cyberattacks
When prescribing the use of medical IoT devices, healthcare providers mostly focus on improving patient care and ignore the security aspect of connected devices. As a result, these devices have serious vulnerabilities. Below are some examples.
Insulin pumps account for over half of the medical IoT deployed today.
In June 2019, the US Food and Drug Administration (FDA) issued a strict warning to doctors and patients regarding certain Medtronic MiniMed insulin pumps. It came to the FDA's attention that unauthorized users can connect to these devices through Wi-Fi and change the pumps’ settings over-delivering insulin to patients. Medtronic identified over 4,000 patients using the vulnerable pump.
At the same time, Health Canada issued a similar warning regarding Medtronic MiniMed and MiniMed Paradigm insulin pumps distributed during 2010 – 2015.
Vital sign monitors
The convenience of remotely measuring vital signs creates a considerable advantage while monitoring chronic diseases. Patients don't need to frequent the clinic, while at the same time their physicians are constantly aware of their situation and can intervene as soon as their vital signs destabilize. Unfortunately, such a setup can be prone to hacking.
The McAfee Advanced Threat Research team demonstrated the ability to hack into a medical network and falsify patients' vital signs in real time. During the experiment, the team changed the patient's heartbeat from 80 beats/second to zero in just five seconds.
MRI and CT scans
A research team from Ben Gurion University developed and tested malware that can add/remove tumors from medical images. In a scientific experiment, they used the malicious program to alter 70 scans and were able to trick three radiologists into misdiagnosing the patients with cancer. The team focused on lung scans, but hackers can adjust the malware to fabricate brain tumors, fractures, blood clots, and spinal issues.
According to the researchers, these scans were vulnerable because they were neither digitally signed nor encrypted. So, it would be impossible to identify any malicious changes.
5-Step Approach to Help Healthcare Providers Secure Their Medical IoT Infrastructure
Healthcare processes are different from other industries. Therefore, what suits others doesn't necessarily work for healthcare. For example, zero-trust might not be suitable within healthcare settings.
"We’re not protecting a laptop that if I lock you out of it, it sucks, you lose a day’s work. If I lock the nurses out of their workstation because I detected some sort of anomaly, I may have just killed people,” notes Jamison Utter, Senior Business Development Manager for IoT at Palo Alto Networks.”
Below are five steps that your organization can use to improve medical device IoT security and mitigate risks.
Step 1: Control the Procurement Process
Keep security in mind while thinking about purchasing your next medical device. In some healthcare organizations, doctors select the equipment and procure it on their own without consulting the IT department. Medical professionals don’t generally have the appropriate background to assess a device’s security well enough, introducing vulnerabilities to the whole system.
To get purchasing under control, establish a mature procurement process, where the IT department evaluates every device selected by the medical staff.
Step 2: Segment Devices to Create Secure Zones
Network segmentation is a security best practice cited in the National Institute of Standards and Technology. Nevertheless, the healthcare industry is relatively slow in adopting it.
A well-implemented segmentation puts devices that are similar from the security standpoint into the same zone. There are several approaches you can take for segmentation. For example, you can choose to put all shared devices, such as MRI scanners, in a separate zone. Another option is to segment based on location by placing all devices on one floor in the same area. Alternatively, you can separate devices based on ownership—hospital-owned, employee-owned, and patient-owned. Or a more intricate segmentation can be adopted.
The main benefit of segmentation is isolating breaches. If an intruder gains access to one device, they will be limited in their movement around the network. It also facilitates the job of security experts who want to trace the attack to its entry point.
Step 3: Perform Vulnerability Assessment and Classify Device Risks
Medical device security scanning will help you identify vulnerabilities in your IoMT network. The problem with it is that it can uncover a large array of weaknesses and deciding which ones to address first can be a daunting task. Some healthcare providers might consider opting for technical risk as the basis for prioritization. So, if exploiting a vulnerability shuts down the device, then the security team will address this weakness first. This approach doesn’t take into account contextual information, such as whether the device is connected to a patient and what services it delivers.
A more holistic approach to this problem is to consider the following four pillars while prioritizing risk:
Patient impact: what effect the vulnerability will have on patients if exploited. For example, a denial-of-service attack can shut down a pacemaker causing a patient’s death.
Organizational impact: the impact on healthcare facility workflows. If exploiting a security weakness disrupts workflows, it can cause significant damage. Take, for example, an IoT management system that alerts a hospital maintenance crew to clean emergency rooms before a new patient moves in. If this system is disrupted, new patients in critical condition will not receive the help they need.
Financial impact: if hackers exploit the financial impact-related vulnerability, hospitals will have to pay regulatory fines and suffer reputational damage. For instance, if a patient had their records maliciously accessed, no one else would want their EHR stored in this hospital’s database.
Regulatory impact: regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require hospitals to implement particular policies and processes for security. Organizations that don’t get in line will face enormous fines reaching millions of US dollars.
Step 4: Make Sure Your Organization Follows Strict Security Measures
You need to establish security awareness as a part of your corporate culture and ensure that only authorized employees can access medical devices. Here are examples of how to improve your organization’s security hygiene:
Impose authentication and authorization: this includes authenticating users when accessing devices and authenticating devices that communicate with the server or other devices on the network. Avoid hardwired credentials and let users benefit from multi-factor authentication techniques.
Make sure data is encrypted: encrypt sensitive data stored in your database and the data flowing between medical devices. Use a cryptographic signature to secure transmitted data against tampering.
Implement logging and auditing: create a log of security actions, such as where the data is coming from and who has access to sensitive data. Monitor and detect any suspicious activities, including failed authentications and unauthorized device access.
Make sure software is updated regularly: implement a secure update process—cryptographically sign all updates and require user/device authentication before applying them.
Step 5: Guide Patients on How to Use Their IoT Devices
When introducing patients to the medical internet of things, hospitals can’t just assume that everyone is familiar with cybersecurity basics. It would help if you supplied your patients with clear guidelines on installing medical devices, how to approach authentication, and how to configure their home network to ensure a secure connection for transmitting sensitive data to the doctor.
Despite all the challenges associated with the healthcare internet of things security, it has the potential to transform the patient and doctor experience. To be successful, you need to apply a comprehensive approach to security. This starts with reviewing your IoT procurement process and extends to device segmentation, data encryption, access authorization, and risk assessment. Your security framework should even expand to include patients using their IoT devices on their personal networks.