A robot performs surgery, operated by a doctor who is miles away; a patient swallows a pill containing a monitor that scans the digestive system; even humble stethoscopes and blood-pressure cuffs connect to Wi-Fi.
It’s not sci-fi—these technologies already exist. And security professionals worry they may open the next front in the battle against cybercrime.
Today’s medical institutions are increasingly relying on connected devices as part of everyday practice. Even before the coronavirus pandemic, the global market for Internet of Things in medical practice was projected to grow 21% annually over the next five years, from $72.5 billion in 2020 to $188 billion by 2025. Improved connections, smaller devices and higher demand from consumers for self-care options are pushing the projected growth curve.
Pandemic or no, every hospital and health care organization is making wider use of the Internet of Medical Things (IoMT). But making health care more widely available also makes medical records a target for criminals.
Fear of Another Attack
The Internet of Things has a way of opening up new attack vectors. In the early days of IoT (the 2010s), 65,000 pacemakers and a line of onesies with wearable baby monitors were among the IoT-enabled devices recalled because they were found vulnerable to hacking.
“I think that’s a given in the world of cybersecurity,” said Gregory T. Garcia, executive director for cybersecurity at the Healthcare and Public Health Sector Coordinating Council. “The more technological innovation, the more opportunity there is for exploit, for vulnerabilities and threats.”
With the explosion of telemedicine and remote work due to the COVID-19 pandemic, vigilance becomes an even greater priority at a time when healthcare institutions are straining to cope. The Department of Health and Human Services reported a nearly 50% increase in cyberattacks since the start of the covid-19 pandemic in the U.S.
Medical records are catnip for hackers: A few months ago, the data of over 100,000 patients were affected when a hospital system in the U.S. was breached. And late last year, a French hospital had to work with pen and paper for days after an attack locked thousands of its computer terminals.
“I actually hope that number doesn’t change much,” said Jamison Utter, senior business development manager for IoT at Palo Alto Networks. “The moment they go ‘I think we got this nailed down,’ they are wrong.”
Time to Pay Attention to IoMT
There are many ways devices can be tampered with. The most basic is a physical exploit, such as using a Bluetooth device to change the dosage on a morphine pump. Then there are the more common network-based attacks, where the wireless network is hacked using malware or other tactics. More complicated are downstream attacks, where the firmware of the device is corrupted at some point in the supply chain.
“We’ve not yet seen an exploit of a device actually in the field,” Utter said. But, he noted, with both medical breaches and use of devices on the rise, it’s time to pay attention to IoMT.
The health care industry is getting better at sharing information and collaborating to set standards and best practices. Groups like H-ISAC, the Health Information Sharing and Analysis Center—where organizations can report exploits and share that information with their industry community—help everybody’s defense.
“It is us versus them, and ‘them’ are the hackers and the adversaries,” Garcia said. “We need to band together.”
Much Higher Stakes
Health care has yet to mount an adequate response to the breaches and ransomware attacks it suffered in recent years, according to the analysts at Forrester. Meanwhile, devices keep shrinking and health care organizations are cutting costs further, leading to more use of IoT—and more danger of hackers accessing everything from IV pumps to MRI machines.
To defend against that while remaining user-friendly, Forrester concluded, organizations must “build a health care IoT network your Nana will love.” But how?
Designing systems to zero-trust standards is one way to address security, experts say. But those same systems must also be accessible to clinicians and patients who are not necessarily tech-savvy. At the same time, IT professionals need to understand that medical processes are different than in other industries—and, in case of a breach, the stakes are much higher.
“We’re not protecting a laptop that if I lock you out of it, it sucks, you lose a day’s work,” Utter said. “If I lock the nurses out of their workstation because I detected some sort of anomaly, I may have just killed people.”
IT Person or Nurse?
Procurement must get involved as well, because in many health care organizations, doctors often choose and buy equipment they prefer on their own. Any kind of company needs to have a mature procurement process that ensures everything that connects to the network has been checked out by the security team and is in line with the company’s security policies.
“That’s all a matter of the C-suite giving the CISO the authority to manage those processes in a way that’s consistent and predictable,” Garcia said.
A key step in today’s BYOD (Bring Your Own Device) environments is to know what is connected to the network and where all those devices are. At this stage, an audit of the organization’s technology would be a good idea, experts say.
Beyond knowing what devices are where, organizations must have a plan to access them in a timely manner if there is a breach, but in a way that makes sense for hospitals. In some cases, the escalation protocol for a breach may include a nurse, instead of an IT person. Shutting down a patient’s insulin pump to foil a Trojan horse is hardly a practical solution.
Cyberthreats Are Constant
Like cybersecurity issues in most industries, the effort must work across the health care system. It has to include buy-in at the C-suite, involvement in procurement and training for frontline staff. Doctors, nurses and records personnel all have to learn how to secure devices and protect them with strong passwords, particularly if working from home during the coronavirus emergency.
“It’s top-down, it’s bottom-up, and you have to have the layers,” Garcia said. “Everyone needs to understand what their responsibility is, that it isn’t just the IT guy’s job.”
As hospitals and health care organizations ramp up their use of connected services, the attack surface exposed to hackers will increase.
“The more experience using IoT and IoMT we get, the more we’re going to have consistent and repeatable policies around the use of those,” Garcia noted, “as well as some restrictions where you decide that the risk will be too great to use certain technologies.”
Striking that balance will occupy health care CISOs for a while. The process must be a constant effort, not only to keep up with the changing tactics of black hats, but also to keep up with the development of new defensive technologies that use blockchain, machine learning and other innovations.
“It’s more vulnerability, but that’s the connected society,” Utter said. “It’s our job to make it safe.”
Or, as Garcia put it, “We’re really on the front lines of a new war.”