In one perspective, IoT devices are the inverse of traditional IT devices such as desktops, laptops, mobile phones and the like. Such people-facing devices are generic in their intended function but are architecturally similar. IoT devices, conversely, are diverse architecturally but tend to be function-built for a narrow outcome. While IoT devices often support human input, their main purpose is to act autonomously. Many IoT devices thus lack the horsepower to support software agents to help automate device security. And yet, because IoT devices interface with the physical world, IoT security issues can potentially cause physical harm.
In few places is this unique combination of traits and risks more evident than in the medical device industry, where bad actors can potentially take control over devices ranging from infusion pumps to pacemakers to X-ray machines. Making matters worse, a recent survey of 50 hospitals from IoT-focused health care-security specialist Zingbox reveals that sloppy security is standard in the landscape. Outdated operating systems and software comprised one-third of the security problems found. Rogue applications and internet-browser-related risks jointly made up 41 percent of the security risk the study authors reported. Unprotected communications and weak passwords comprised an additional 11 percent.
“There is certainly an opportunity to educate employees on the acceptable and secure way of using medical devices,” said John Yun, head of marketing at Zingbox. Just because an internet-connected medical device has a browser, “doesn’t mean you should use it to visit websites, check emails, stream music, etc.” Yun said. And while hospitals typically have security protocols in place for devices such as PCs and laptops, many aren’t focused on IoT security issues. “From our findings, the vast majority of user practice issues stem from employees unaware of sound security practices and not from intentional acts to infect or disable connected medical devices.”
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
The less-than-stellar security situation can attract financially-motivated cybercriminals who seek to steal patient records. Hospitals suffering from such theft can be hit with fines based on each record lost. “Disruption of service cannot be easily quantified since it has other damages such as loss of life,” Yun said.
Health care organizations should increase their focus on security as medical devices become increasingly connected. Once a medical device is reachable via the internet, there are an array of potential hazards to watch out for, as well as the chance that malware could propagate from one device to another, Yun said. “In addition, the management of devices has not evolved to leverage other benefits of networking such as updating real-time inventory, locating devices, gaining insight into device utilizations and so on,” he added.
Health care institutions should also ensure that connected medical devices have the latest software. “Many devices simply aren’t designed to be updated OTA,” Yun said. “Not only that, many manufacturers are not able to respond to vulnerabilities and threats in the speed necessary to secure such devices in real-time.” For one thing, any update of a critical medical device must ensure that it doesn’t cause inadvertent problems that may inadvertently harm a patient. Yun concluded: “Simply updating to the latest patch may be a risk we take with our PCs, but not our X-ray machines.” Imaging systems, incidentally, are the top source of cybersecurity risks within hospitals, making up 51 percent of such threats according to the Zingbox research.
And while there is room for improvement when it comes to the IoT security issues in the medical landscape, health care organizations have the potential to emerge as IoT security pioneers in the wake of last year’s high-profile cyberattacks targeting hospitals internationally. “Health care organizations have experience in being audited, held to specific regulations and securing health care records,” Yun explained, all of which could help them build on their current security foundation. “They also have budget and processes in place to implement solutions to react to the latest cyberthreats and service disruptions.”