In 2019, the healthcare industry took some big cybersecurity hits, including significant data breaches and some high-profile ransomware attacks. The American Medical Collection Agency data breach dominated 2019, affecting more than 25 million patients, and ransomware made a strong comeback, forcing three hospitals to shut down. However you look at it, cybersecurity has become an enormous issue for the healthcare industry.
The State of IoT in Healthcare
According to a recent research report, the state of IoT (internet-of-things) cybersecurity in healthcare is in bad shape. As healthcare IoT devices have spread exponentially throughout the healthcare industry, they bring with them corrupt cybersecurity practices. These range from poor access controls, a total lack of network segmentation, and an over-reliance on legacy IT systems and software. All contribute to cybersecurity incidents.
They increase the size of the available attack surface, which can be exploited by malicious actors and criminals who want to steal sensitive, personally identifiable medical information and, increasingly, dangerously disrupt healthcare services with ransomware attacks.
How can we balance the rapidly growing need for data sharing with the ever-pressing need for data confidentiality? First, let’s look at what IoT does right in the healthcare industry before moving on to its cybersecurity problems.
The Pros Of Healthcare IoT
The healthcare IoT market is fast-growing, and this growth is driven by advances in technology, the lowering costs of sensor technology, and the strong demand for cost-effective healthcare services and illness management. Hospitals in Australia now have an average of 10-15 connected IoT devices per patient in their facility. The devices are dramatically improving the quality of patient care and driving real innovation in medical research while enhancing the efficiency of healthcare systems.
There is a vast range of applications for IoT healthcare devices rapidly filling every niche in the industry. You can see healthcare IoT being used to monitor and communicate with patients, manage their drug supply with infusion pumps, as well as their digital health implants. IoT is used to manage the hospitals themselves and the buildings the hospitals inhabit, plus a wide range of different healthcare operations. Compared to older methods of delivering healthcare services, the IoT devices provide a higher level of healthcare in less time.
Above all else, healthcare IoT is an enabler for massive data collection, and devices regularly gather vast amounts of data which is invaluable to healthcare practitioners and their patients. It’s responsible for changing the face of the healthcare industry. But the enormous volumes of data are also incredibly valuable to cybercriminals who are continually looking to hack into and extract data from the industry. Healthcare data is worth a lot of money on the darknet markets because it usually contains all of an individual's personal information, as opposed to the small pieces you would typically find in a financial services data breach.
The Cons Of Healthcare IoT
One could argue that because the healthcare IoT pros bring such huge benefits to the healthcare industry, they easily outweigh the cons. But that doesn’t make the cons any less dangerous from a cybersecurity perspective. Healthcare IoT devices connected to the internet make an attractive target for hackers for several reasons. The major reason is that such devices are connected to healthcare organization’s networks and represent potential infiltration points into that network. A famous example where IoT devices have been used to infiltrate networks and steal data is the notorious fish tank hack. Hackers used a fish tank’s IoT thermostat to gain a foothold on a casino network and steal their high roller database.
Similarly, IoT devices connected to networks in healthcare organizations represent footholds into their networks for attackers to use. This is mainly because a hospital's security can easily miss the personal IoT devices brought into the hospital by their patients, the patient’s families, and their staff. Healthcare IoT devices also contain lots of personal and health information that can be sold or exploited for profit. This is a very real threat, as recently the HIPAA Journal published a survey of healthcare executives. Eighty-nine percent of them said that they had fallen victim to a security breach because of their IoT adoption.
Another study by a number of universities discovered appallingly bad security practices among healthcare staff and stated that many hospitals are simply failing to protect critical computer systems. The most common way for hackers to steal data from healthcare organizations is through hidden DNS tunnels. They use DNS tunnels to hide exfiltration behavior and disguise the exfiltration as normal IoT device web traffic.
A hospital’s IoT device estate is spread out and varied across the organization, making the management and security of that estate difficult for a cybersecurity team to properly deal with. It also makes for a broad attack surface, one which can be leveraged by malicious actors and cybercriminals. If you are in healthcare and need some help improving your cybersecurity, get in touch with us. Our experienced professionals can always bring something to the table and we have a number of healthcare customers which gives us the industry-specific experience it takes to make a difference.
Tags:
October 13, 2022