It would be a truism to say that in healthcare, the Internet of Things offers many benefits, including the ability to monitor patients more closely. The focus on the consumer end, such as glucose meters, blood pressure cuffs, and other devices allows healthcare providers to automatically collect information and make decisions based on the data to ensure earlier intervention in the treatment process. However, medical companies do not always consider the security risks of connecting these devices to the internet.
In 2016, a group of researchers hacked a connected pacemaker and found several potentially life-threatening vulnerabilities due to poor authentication and encryption practices. It would be just an experiment if the device had not been a part of a bigger picture. Being a part of the network of the healthcare IoT device, it adds to a cyber-physical system together with a wide variety of other devices, such as heart monitoring implants, infusion pumps and wearables. The truth is, hospitals have been adopting the Internet of Things for many years and now have IoT devices in patient rooms, electronic medical records and other cloud-based resources.
However, according to Symantec, attacks that leverage internet-connected cameras, appliances, cars, and medical devices to launch attacks or infiltrate networks skyrocketed by 600 percent from 2016 to 2017. With the healthcare sector being one of the fastest to adopt the Internet of Things, it all needs to lead the way for cybersecurity.
What are the main vulnerabilities of the healthcare IoT?
Connected devices in healthcare offer many advantages, however, the same devices pose increased risks to both to privacy and security.
Some possible risks include:
• Attacks on other systems;
• Risks to personal safety;
• Privacy risks.
Privacy Issues
1. Risks of Patients’ Privacy Exposure
The primary privacy issue is to keep the patient’s’ Personal Health Records confidential. A Personal Health Record (PHR) is “an individual electronic record of health-related information that conforms to the nationally recognized interoperability standards.” (Khan et al., 2009 ). PHRs are drawn from multiple sources and are reported directly to the e-health center directly. Containing personal information, they can become the target for cyber attacks ending in the exposure of private data.
2. Data Eavesdropping
Generally, the health data of patients are available only to authorized caregivers. However, such data can be eavesdropped while flowing over the wireless links. For example, a popular IoT-based glucose monitoring and insulin delivery system utilizes wireless communication links, which are frequently used to launch privacy attacks and therefore needs sufficient protection of the transferred data.
3. Ownership of data
Countries have laws to protect patient data but they may vary from state to state. Besides, in certain cases, such as in case with fitness wearables, many people would think that the data tracked and collected is be bound to be protected by legislation but in many cases it is not.
4. Location privacy
Location privacy is concerned with eavesdropping on a patient’s location. Location privacy in WSNs, specifically hiding the message sender’s location, can be achieved through routing to a randomly selected intermediate node (RRIN)
Security issues
Taking into account, the sophisticated architecture of the healthcare IoT, data transmitted from and received by connected devices can be subject to cyber-attacks on different levels, from physical objects to applications and cloud databases. However, the biggest challenge lies in the interoperability of devices which can lead to a network being exposed to new security vulnerabilities and additional risk.
1. Distributed denial of service (DDoS)
DDoS is an attack where multiple compromised systems are used to target a
single system causing a denial of service and causing that system to crash making data unavailable.
2. Medjacking
In June 2015, TrapX, a security company, reported that most healthcare organizations are vulnerable to medical device hijacking also called “medjacking”. Currently many medical devices allow hackers easy access to steal massive numbers of sensitive data from healthcare provider’s systems. With some connected medical devices being able send and receive data, they can be compromised to be used as a portal to access medical data. Besides, having access to a connected medical device, a hacker has means to access and change the drug dosage to give a patient too little or a lethal amount.
3. Unauthorized data access/ access control
Different users are assigned for different applications, and each application will have a big number of users. With much data stored in cloud, the need for effective authentication technology to prevent the illegal user involvement and unauthorized data access becomes even more crucial. Moreover, access control is essential to prevent unauthorized entities from accessing to system’s resources (data, services hardware, etc.)
Who is responsible?
Healthcare facilities increasingly rely on devices that connect with each other, with hospital medical record systems and with the Internet, raising concerns about the vulnerability of medical devices. To make things look worse, in late 2015, two security researchers discovered over 68,000 medical systems that were exposed online, including anesthesia equipment, cardiology devices, nuclear medical systems, MRI scanners, and other devices. The major concern with this discovery was that these devices were connected to the Internet through computers running very old versions of Windows XP, known for lots of exploitable vulnerabilities. Taking into account the complexity of the problem and the number of people involved, it should be tackled on all levels from individual staff members to governments.
1. Employees: there is a need to educate employees on the acceptable and secure way of using medical devices. Currently, a lot of user practice issues stem from employees unaware of sound security practices and not from intentional acts to infect or disable connected medical devices. For example, employees need to realize that medical devices, even having a browser, cannot be used to surf websites or stream music.
2. Healthcare organizations should increase their focus on security as medical devices become increasingly connected. Once a medical device is reachable via the internet, healthcare organizations need to watch out for potential hazards and propagation of malware. They should also ensure that connected medical devices have the latest software. Any update of a critical medical device must ensure that it doesn’t cause inadvertent problems that may inadvertently harm a patient.
3. Providers of cloud services: while healthcare organizations make sure that the sensitive data is stored in a secure and encrypted manner, they do not have control over the security of the data access points being used to transmit the data. This creates a significant threat that increases gradually based on the number of new devices connected to the network and should be addressed by communication and data storage providers.
4. Regulatory bodies: The primary concern for regulatory bodies is the security of Personal Health Information, stored and conveyed through connected devices. For this, they need to provide adequate and consistent legislation.
What can be done?
Ensuring security in the healthcare IoT requires joint efforts from the providers and manufacturers of IoT devices and healthcare organizations.
Providers and manufacturers of IoT devices
There are several basic security actions that can be taken at the stage of design and production of medical connected devices:
1. Authentication: manufacturers need to issue certificates for healthcare devices that validate identities to make sure only authorized users, messages or services have access to the device.
2. Encryption: certificates create an encrypted link and allow healthcare information to be transmitted privately.
3. Integrity: certificates sign messages sent to a medical device to make sure they remain unaltered and aren’t intercepted.
Healthcare organizations
To prepare and remain as secure as possible, there are several steps that healthcare providers should take:
Conclusion
Luckily, up to date there are no known cases in which malicious hackers have attacked a pacemaker or similar device, but researchers have proved it’s possible. In addition, hospitals often have a lot of legacy equipment and standalone devices connected into a network that are running outdated operating systems and software that cannot be updated. Since these devices and equipment do not come through normal channels there is a lack of awareness of these vulnerabilities that attackers could take advantage.
It goes without saying, that all kinds of IoT devices are here to stay, but it is also important to make sure that the networks run automated work flows, give quick access to critical information and ensure security. This can be accomplished with enforceable security policies and implementing solutions that focus on vulnerabilities, configuration assessments, malware defenses, and constant monitoring of events and anomalies.
The critical point to be aware of is that, while cybersecurity has been on the global agenda for the past several years, it is in healthcare that protecting data becomes vital, and the cost of breach is a human’s life.
