Securing Internet of Medical Things critical for healthcare innovation and patient safety
By May Wang, PhD
Hospitals and other healthcare entities depend on strict adherence to protocols to protect patients, staff, and visitors from contamination, medical waste, and other dangers. They have backup generators, lockdown procedures, and evacuation plans in case of outbreaks and natural disasters.
And now they’re developing response and recovery plans for a new kind of rising threat: cyberattacks. NotPetya, WannaCry, MedJack, Mirai, Reaper—these scary-sounding diseases don’t infect humans, but they can take over life-saving systems and equipment.
Unfortunately, ransomware, botnet, malware, and wiperware have left their dark marks on healthcare organizations and medical device manufacturers. From big name manufacturers to regional care providers, cyber criminals have exposed and exploited vulnerabilities in our increasingly connected healthcare systems.
In the wake of WannaCry’s attack on the UK’s National Health Service, nearly 20,000 appointments were canceled. In the United States, hospitals have been forced to replace computers or shut down networks for extended periods. Healthcare organizations, especially hospitals, have been top target for ransomware schemes over the last few years.
Healthcare’s Digital Transformation
Now is the time to bring the power of technology to understanding, monitoring, and reducing the risks that connected systems and IoT devices have introduced. The stakes are too high. We have to innovate and leverage the most advanced cybersecurity technologies available to defend and enable our most advanced medical technologies.
Traditionally, medical devices were not connected to networks. Devices connected to databases, such as CT scanners, were typically restricted to a separate network. Now, many devices are connected—to hospital networks, remote monitoring systems, electronic health records, and each other. Infusion and insulin pumps, x-ray and ultrasound machines, ECG and MRI machines, PACS servers and DICOM viewers — these are just a handful of the medical devices that now operate with embedded, connected sensors (IoT) or direct connections to computing and storage systems.
And then there are the non-medical IoT devices: phones, printers, intercoms, security cameras, thermostats, and tracking systems. Most U.S. hospitals average 10-15 connected devices per bed—multiplied by hundreds or even thousands of beds, it’s no surprise that the cyber and health risks are regarded as an urgent challenge for the healthcare industry.
Why Are Healthcare Organizations Targeted in Cyber Attacks?
In healthcare’s nascent push into the digital era, the resulting complications are still emerging. Most hospitals and clinics do not have enough cyber security specialists on staff. The number of connected devices in hospital settings are like no other, averaging 10 connected devices per bed.
The open and accessible nature of hospitals also pose a challenge. Unlike other verticals, many hospital environments are designed for the benefit of the patients. Hence patients have physical access to large portion of the hospital, which greatly increases the possible attack surface of would-be hackers.
Healthcare organizations, including insurers and business associates, are prime targets because patient records are so lucrative. They contain more identifying data points and more sensitive information than credit card records. Medical data (PHI) can be used to commit ID fraud, tax fraud, insurance fraud, and to track active prescriptions in order to sell drugs online. The opportunities for extortion are numerous, and cyber criminals relentlessly create new exploits.
Challenges in Securing Healthcare Environments
Connected medical devices have been designed with reliability and accuracy in mind. After all, these devices cannot fail when our bodies do. They must dispense the correct dosage of medicine when patients are forgetful or unable to do so. Hence, industry standards and government regulations are designed to ensure continued long operation of these devices. The results of these efforts, however, are being exploited by modern cyber threats.
Designed for reliability and long operations, connected medical devices are inherently not easy to alter or update. Such action can introduce variables that can have adverse effects on its intended design. Unfortunately, the same precaution can also prohibit efforts to address the latest vulnerabilities found in the device operation system.
Aside from their inherent design and regulations, IoT medical devices present particularly complex difficulties that cannot be addressed with standard cybersecurity solutions like anti-virus and endpoint protection software. Most of these devices have limited computer power, so agents cannot be installed. They aren’t easily patched (or can’t be altered under warranty).
In order to monitor their performance, a connection to the management vendor often must be punched through firewalls. In general, perimeter defenses have limited effectiveness because many attacks and breaches originate from inside those virtual boundaries. Proactive scanning isn’t practical because it could break the device and ultimately interfere with active medical care or life support systems.
Devices that communicate with larger systems (e.g., devices that send medical images to databases) can be exploited as bridgeheads into the network. Similarly, the wireless connectivity, near-field communication technology, and flash storage built into the IoT device are vulnerable to physical or remote hacking, or both. Segmentation via firewall or other means is not a viable approach, since the whole point is for everything to be connected and interoperable.
Finally, as is always the case in cyber risk, the human factor is significant. For instance, many IoT devices ship with default passwords that are easily discoverable by bad actors. If these passwords are not diligently changed, protected, and regularly reset, gaining access is all too easy.
One of the major challenges with IoT medical devices is visibility. They are numerous and spread throughout the hospital environment. By design, they are mobile and can easily be relocated. And they don’t show up on network dashboards the same way that endpoint computing devices do.
Maintaining a comprehensive, real-time inventory of IoT medical devices is essential to securing them, especially as their numbers increase. Because they have so little compute power of their own, they need a “brain” that can identify, categorize, monitor, and detect anomalous behavior. As cybersecurity exploits and the networked systems they threaten grow more complex, enterprises of all types are finding that no amount of human skill or signature-based detection is sufficient to provide comprehensive protection.
Monitoring, alert sorting, and remediation must be automated, specialized, and contextual. This is even more critical in hospital settings than typical corporate setups.
This is why artificial intelligence (AI) and machine learning solutions are becoming so essential to IoT and enterprise security. AI-driven solutions with machine learning capabilities can discover an IoT device connected to the network, figure out what kind of device it is, assess its unique characteristics and typical behaviors in order to establish a baseline profile, and then monitor for abnormal behaviors.
These intelligent algorithmic solutions can send alerts and leverage existing network and security infrastructure by calling application programming interfaces. Even remediation can be automated if desired, by enforcing behavior consistent with the device’s profile and blocking or shutting down the device if irregular activity is detected.
Where Do We Go From Here?
Ensuring that IoT devices and connected healthcare systems are secure can’t be left entirely to AI. Addressing these issues has to be a high priority for every covered entity and business associate. Boards, executives, regulators, and device makers must act with the utmost care and diligence. Security measures and standards should not be allowed to fall behind medical technology innovation and implementation.
Within hospitals, there are organizational issues to address. Teams that have traditionally operated in silos—facilities, biomed, IT—must collaborate to ensure that governance and risk management efforts are tightly integrated. Leading hospitals are adopting an approach that puts one person or team in charge of overall cyber security, tasked with coordinating the technical activities and needs of medical, infrastructure, and operations teams.
All stakeholders must work together on incident response planning; the visibility enabled by AI solutions goes a long way toward preparing for (and mitigating damage from) the inevitable attacks and breaches.
Hospitals need more help, not more work. The majority of staff is focused on patients and providing care. Machine learning and AI are critical to enhancing and advancing modern healthcare and device connectivity—eventually, security and control must be able to scale out to millions and billions of devices.
Government regulators like FDA and FTC are working on IoT security requirements, but enforcement is lacking. It’s up to the industry oversight entities, as well as device makers and healthcare organizations, to keep pushing these concerns to the forefront. Those with purchasing power should demand security-by-design from developers and suppliers without exception.
Finally, security awareness training for hospital employees, strict policy enforcement, privileged access restrictions, and regular risk assessments are all essential elements in ensuring patient safety and operational continuity. The ancient edict still stands—first, do no harm. Technology that can save lives must be controlled. In the wrong hands, it can quickly become a threat to health and safety.
May Wang, PhD, is the cofounder and chief technology officer at Mountain View, Calif.-based ZingBox. She previously served as the head of Asia Pac Research and a principal architect in the Cisco CTO office, leading the Internet of Things innovation. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].
- Greenberg The reaper IOT botnet has already infected a million networks. Wired, 2017. Accessed February 6, 2018. Available at: www.wired.com/story/reaper-iot-botnet-infected-million-networks.
- Newman LH. Medical devices are the next security nightmare. Wired, 2017. Accessed February 6, 2018. Available at: wired.com/2017/03/medical-devices-next-security-nightmare/amp.
- Statement from FDA Commissioner Scott Gottlieb, M.D., on new steps to advance medical device innovation and help patients gain faster access to beneficial technologies [online]. Silver Spring, Md: US Food and Drug Administration, Available at: www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm581861.htm.