IoT Security Is Giving Healthcare Heart Attacks
- By Lachlan Colquhoun
- November 01, 2022
No other industry is drowning in data more than healthcare. It is estimated that this single industry produces around 30% of all data, and this is in a world where the total amount of data doubles every two years.
The likelihood is that data will soon double faster than every two years, meaning that the amount of health data in the system will be truly astronomical.
In Australia, the country has just experienced the second severe data breach in as many months, and this time it was a healthcare company
Health insurer Medibank this week confirmed that the personal data of its 4 million customers had been hacked, including many health records.
Beyond health records, the health industry has rapidly adopted Internet of Things devices that transmit data from sensors to data systems. At a recent — confidential —healthcare forum, many providers admitted that the hacking of IoT devices was a “doomsday scenario” which kept them up at night.
Even a modest-sized hospital will have several hundred connected devices, and the number is only increasing. Given the vulnerability, technologists in the industry are amazed that there haven’t been more incidents of IoT security breaches, but they are waiting for more.
Ransoms are being paid
According to a recent study by healthcare cybersecurity provider Cynerio, 56% of hospitals have had their IoT/IoMT devices attacked in the past two years. 88% of data breaches involved IoT devices. An alarming figure is that 53% of medical IoT devices have at least one critical vulnerability.
Given what is at stake, 47% of attacked hospitals pay the ransom when victimized by ransomware. More alarming is that 24% of hospitals reported increased mortality rates after a cyberattack.
Cynerio gives the example of smart autonomous mobile robots used at hundreds of hospitals worldwide to deliver medicine and maintenance supplies and perform simple tasks. Cynerio researchers say they found “five critical zero-day vulnerabilities” which enabled remote attacker control of the robots and their online console.
“56% of hospitals have had their IoT/IoMT devices attacked in the past two years. 88% of data breaches involved IoT devices”
A Cynerio whitepaper also points out that IV pumps are the most common healthcare IoT device and make up 38% of an average hospital’s IoT footprint. Unfortunately, more than 70% of those pumps have a vulnerability that would jeopardize patient safety, data confidentiality, or service availability “if it were to be exploited by an adversary.”
Given the critical nature of healthcare, alarm levels for technologists in healthcare are on red almost all the time. And they report they are not getting much assistance from vendors, who say they have proprietary technology that can’t be scanned and can’t have security software installed. Many vendors say their systems are unhackable but decline to guarantee this.
This puts hospitals over the proverbial barrel. The capabilities of IoT devices have become indispensable in so many ways. They lower costs, deliver vital data and reduce the workload on humans. In terms of uptake, the healthcare industry will only use more IoT devices.
At the same time, vulnerabilities could have potentially fatal consequences. Hackers seem more interested in having ransoms paid than in creating turmoil in the hospital system, but the system needs to plan for the worst-case scenario. So what to do?
Full visibility essential
Healthcare providers typically maintain spreadsheets of their connected IoT devices, which can be scanned, and some technology companies offer these services. The problem is that not every hospital maintains an accurate list; some devices defy scanning and require further investigation.
Some devices are also quite old and have never been included in security assessments. While some security providers are upping their game and providing machine-learning-powered IoT device detection in firewalls, they can also miss some devices while others might be outside the network perimeter.
Unsurprisingly, the most common device risk remains insecure passwords, and some hospitals find that an audit will reveal that many of their older devices do not even have passwords set.
Responding to this requires a medical-first and risk-based approach, with complete visibility into connected devices and accurate anomaly detection to prevent data theft and risk disruption.
Healthcare providers fully understand that device security is equated now with patient security. The providers at the healthcare forum say they have trouble sleeping at night, but their fears haven’t turned into nightmares — yet.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].
Image credit: iStockphoto/eggeeggjiew