By Carolyn Crandall
Smart medical devices hold the unlimited potential to save lives and improve our general well-being, but they also present a host of untold threats that have yet to be fully exploited.
You’ve probably heard the infamous story about how Dick Cheney’s heart defibrillator was modified to prevent it from being hacked while he was vice president. While Cheney’s medical team was quick to address this particular issue, the larger healthcare community has been slower to react to persistent threats and medical device security remains a growing concern even 11 years later.
Among healthcare organizations with IoT-connected medical device ecosystems in the U.S., 35.6% report experiencing a cybersecurity incident in the past year, a recent Deloitte survey reveals. That’s more than one-third of organizations experiencing some type of threat to the smart medical devices they’re in charge of protecting.
And it’s not just state-of-the-art healthcare organizations and facilities using smart medical devices. A Thales survey of 235 senior healthcare security managers across the globe, revealed that 96% are using IoT-enabled technologies. With U.S. hospitals deploying an average of 10-15 connected devices per bed, according to Zingbox, creator of an IoT security solution using a brand of artificial intelligence called “deep learning,” this dramatically opens up a hospital’s network to cybercriminals, be they individuals, political groups, criminal organizations, terrorist, or nation-state attackers.
What Cybercriminals Want
So, why are cybercriminals interested in hacking things like internet-connected heart rate monitors, implantable defibrillators, and insulin pumps?
Generally, it’s not to cause physical harm to a patient or end their life; rather, it is to exploit the entry points into larger hospital networks and the treasure troves of personal health information (PHI) hackers truly desire.
With stolen medical records, hackers can: easily set up a costly ransomware attack; carry out tax fraud and identity theft; track prescriptions, intercept delivery, and sell the drugs on the dark web; and offer for sale prized PHI records that command $50, versus $3 for a Social Security number, and a measly $1.50 for a credit card number.
Why Hospitals Struggle with IoT Security
Simply put, hospitals have a hard time identifying all the vulnerable infrastructure and devices they must secure. Think about the volume and range of devices across an entire hospital or treatment facility, e.g., EHR portals, printers, nurse’s stations, and active, IoT-enabled medical devices. The size and scale of all the different components of a healthcare organization’s network leaves many CIOs and IT departments scratching their heads over how to monitor and secure it, while not diminishing patient care quality.
Along with the growing number of devices that healthcare organizations keep track of, many providers work off flat networks versus micro-segmented Virtual LANs (VLANs), which better protect devices. By micro-segmenting VLANs, IT practitioners can more easily identify and locate devices on the network as part of a micro-segmentation strategy to limit lateral infection. According to Zingbox, 88% of hospitals have fewer than 20 VLANs containing medical devices. This drastically increases the access and risk associated with these devices. Further, medical devices have longer lifespans than typical hardware, and limited downtimes and mobility can limit the type of patching that can improve security defenses.
Recent government oversight has begun to address the issue of medical device security. In 2013, the U.S. FDA began seriously evaluating device security and continues to use the National Institute of Standards and Technology (NIST)’s 2014 Framework for improving overall critical infrastructure cybersecurity. While not enforceable, the NIST’s framework is widely used, and the FDA is now known to have delayed and blocked medical devices from coming to market if they don’t meet their standards.
Ultimately, IoT-enabled medical device security isn’t just important, it’s critical. That’s why healthcare organizations, their security vendors, and device manufacturers all have a responsibility to increase protection of both networks and individual devices, deliver greater visibility and improve detection capabilities against potential cyber threats that can impact medical devices.
Carolyn Crandall is chief deception officer for Attivo Networks.