IoT and Healthcare: Serious as a Heart Attack

October 19, 2020

  • Many critical medical devices currently in use are vulnerable to cyber attack.
  • While there have been no documented medjackings to date, targeted attacks are plausible and possible.
  • Healthcare facilities can take steps to reduce risk, thereby protecting their patients and their business operations.

 

Did you know?:

 

  • Any number of common medical devices can be hijacked. Like, for instance, infusion and insulin pumps. Wireless vital monitors. Thermometers. Smart pens. MRI systems. Blood gas analyzers, CT scans, anesthesia machines and x-ray machines.
  • What else? Oh, right – pacemakers. Yep. A hacker can theoretically stop a pacemaker. Or an implanted defibrillator.
  • And … literally hundreds more connected devices.

How many are we talking about? Well, per Alpine Security, there are roughly 10-15 connected devices per hospital bed in the US, and new “smart beds monitor up to 35 data points, including blood, oxygen, and pressure sensors.”

 

CAM Week 3 Blog Image 1

 

…many of these devices were designed with little to no security in mind, [and] they may have hardcoded passwords that facilitate tampering by anyone with physical or network access. Other security measures that may not be present include user authentication and absence of encryption in wireless communications.

 

At any given time roughly 612,000 people are hospitalized, so by my math that represents more than nine million points of potential mischief at a given moment.

 

But wait – there’s more. IoT hacks aren’t just about cases where a connected device is the point of entry. We also have to include instances where devices are affected due to a larger system compromise. This is precisely what happened earlier this year at Düsseldorf University Hospital in Germany, where a ransomware hack resulted in the first known death from a cyber attack.

 

In other words, that nine million number above is a very conservative estimate of the true magnitude of the problem.

 

None of this is new. We’ve known about these sorts of threats for years. And in one case a device maker was aware of a vulnerability for a year before doing anything.

 

Don’t panic, though. Sean Tufts, our Practice Director of Product Security for ICS & IoT, says hackers “are far more interested in things like patient data, which they can sell, and ransomware payments from targeted organizations.” (A stolen medical record can be worth up to $250 on the black market, compared to a mere $1 for a credit card.)

 

CAM Week 3 Blog Image 2

 

“Medjacking [medical device hijacking] might seem like an interesting exercise for some,” he says, “but there’s typically no payoff.

 

“Of course,” he adds, “being more trouble than you’re worth isn’t exactly a strategy.”

 

There have been no documented cases of medjacks directly targeting patients to date, but it isn’t unthinkable. Former VP Dick Cheney had his heart implant’s wireless functionality disabled when he learned it could be hacked. It isn’t hard to imagine a scenario where an attacker, operating out of political motivations or economic ones, might seek to assassinate someone or hack a device and demand ransom.

 

Unfortunately, many healthcare facilities (if not most) aren’t as prepared as they need to be.

 

An effective healthcare IoT security strategy can be complex, but it’s both necessary and doable. Experts say the solution needs to operate on multiple fronts, with both healthcare providers and device manufacturers implementing stronger safeguards.

 

Tufts says facilities are advised to closely assess the security culture of manufacturers, identify device vulnerabilities and work closely with them to assure development is conducted in accordance with the most stringent best security practices. Improved staff training is important, and an information architecture that segments IT and IoT networks is essential.

 

Most valuable, though, is a robust Managed Detection and Response (MDR) platform. “The key is to integrate threat monitoring, detection and response services. You can tailor a solution with a mix of technologies, advanced analytics, hunting, threat intelligence and human expertise in incident investigation and response,” says Tufts. “And that customization is central to maximizing your resources. We’re talking about everything from small offices and community hospitals to huge national systems, and everybody’s situation and budget is different.”

 

So no, there’s no reason to panic, but there’s every reason to be vigilant, aware and prepared. And for Cybersecurity Awareness Month 2020, we’re going out of our way to stress that awareness can and must inform action.

 

#BeCyberSmart, and if you have questions or need a hand give us a holler.

Sam Smith, PhD | Contributor
Contributor
Sam has worked in technology and communications marketing for more than 20 years and during that time has served a host of Fortune, enterprise and mid-market leaders. He earned his doctorate from the University of Colorado, where he focused on the development and adoption of emerging digital communication technologies.