The healthcare industry has gone through a dramatic technological transformation, one that has been accelerated by COVID.
Internet-connected devices (collectively known as the Internet of Things, or IoT devices), once a promising technology, have recently become ubiquitous in the healthcare industry, with these devices becoming a significant part of patients’ care and an ever-present part of any healthcare facility.
However, despite the advantages, speed, and information healthcare IoT has created for the industry, it’s also introduced significant risk, threatening healthcare companies and even their patients.
The healthcare industry has been leveraging IoT devices for years, steadily increasing its use in facilities and patient care. The use of IoT devices has dramatically risen and digitalization has been further spurred by COVID-19, where the need for telehealth and remote care has become a necessity among any healthcare provider. By 2027, the IoT in Healthcare market is expected to reach $290B, up from just $60B in 2019.
However, for all the benefits IoT devices provide, they’ve also introduced new risks to these healthcare organizations that haven’t had much priority or attention given. This has created a dangerous gap — new technology is introducing new risks and a larger attack surface but there has been little evolution in healthcare cybersecurity.
Adding additional devices to any organization adds risk but healthcare IoT adds a specific risk because it’s connected to your network, meaning it’s susceptible to MiTM attacks or other intercepting attacks.
Due to the nature of these devices, the lack of security is often the result of the device manufacturer who may, understandably, not have the right priority, sense, or resources dedicated to ensuring the devices are secure. These devices, if left unsecured, can expose an organization to a number of different risks and potential compromises.
Healthcare manufacturers aren’t developing internet connected medical devices with security in mind and, even in 2020, the the DHS Cybersecurity and Infrastructure Agency published an alert about a medical device that had a hardcoded password, a major vulnerability.
Many legacy IoT devices have less than stellar security and some healthcare departments may let these vulnerabilities slip by not segmenting network access or not changing default passwords, which are common among many IoT devices and are trivial to find. This can lead to cyberattacks in hospitals or other targeted healthcare attacks.
This means it’s up to the healthcare organization to ensure that any new and legacy healthcare IoT devices aren’t leaving the organization exposed to attacks or any accidental breaches.
Use of internet connected medical devices can be incredibly scary if the right security isn’t put in place. A feature by the Indianapolis Business Journal highlighted the various times recalls and alerts were published by the FDA due to concerns over hackable pacemakers. IoT Business News has also published a list of four types of medical devices that are susceptible to hacking which include: wireless infusion pumps, implanted devices, smartpens, and vital sign monitors.
Beyond the risk posed to individuals, these devices can also be used to infiltrate a facility or organization’s network which can lead to worse compromises and breach incidents. Hackers can access your organizations’ sensitive files, patient records, health records, or compromise your facilities ability to function via ransomware or network compromises. Compromised devices can be leveraged as part of a botnet or can contribute to a DDoS attack which can further hinder an organization.
Forescout Research Labs has found that 75% of healthcare entities are vulnerable to a number of TCP/IP vulnerabilities found in millions of IoT and IT devices. A 2019 survey also found that 85% of healthcare organizations have suffered an IoT attack, a huge swath of the industry.
Unfortunately, malicious actors aren’t the only security concern healthcare organizations should be worried about.
The wider an organization’s network, the more challenging it is to protect all the assets, elements, systems, and tools involved. The same is true as more and more IoT technology in healthcare is being utilized, especially when these organizations may already be struggling to have the appropriate budget, staff, or resources needed to handle today’s threats, let alone secure a wider network of connected devices.
Asset visibility and management becomes difficult, especially if departments and individuals add new IoT devices to your network without your knowledge. This shadow IT challenge can turn ugly if any of these devices have default passwords or lax security. Without knowing they’ve entered your environment, there’s no way to secure them appropriately.
Making your healthcare organization secure and protected against the risk IoT devices exposes you to requires a mix of fundamental cybersecurity practices and targeted efforts.
Make sure you have the tools and process to know exactly what’s making up your environment and what’s interacting with your network. This is crucial for ensuring your additional safeguards and protective solutions are incorporating all your devices.
If you haven’t already — make sure all connected devices in your network and environment have a secure password, not the default one the manufacturer put in place.
Just like with any tool or software, IoT device manufacturers often release security updates to nullify any discovered vulnerabilities or exploits. Failure to update these devices on the organization’s side is an easy way to leave yourself vulnerable.
To limit the potential of a malicious attacker using an IoT device as their way into your organization’s network, you have to isolate IoT devices by placing them in their own network via network segmentation. This ensures that, even if a device is compromised, an attacker can’t reach your network where more sensitive files or assets can be found.
Network, device, and traffic monitoring tools can detect whether a device has been accessed by an unknown or new user, if multiple attempts to access a device have been made, or whether a device is behaving erratically in case of a compromise. These tools will alert you to any issues and give you more time to react appropriately.
An EDR tool, used for all endpoints, not just IoT devices, is a must for all organization’s in today’s environment. If you don’t have one yet, make sure you do your due diligence to find an EDR solution that works with your particular industry and make-up or organization as well as your needs.
The risk introduced by IoT represents yet another aspect of healthcare cybersecurity that requires attention and resources. The cybersecurity market has responded to this need, with the healthcare IoT security market expected to reach $5.2B in 2028
The healthcare industry is under attack in a major way and it’s time the industry sees cybersecurity as an absolute necessity, dedicating the budget and staff appropriately. While it’s still not feasible for in-house solutions or teams to address all the risks and concerns these organization are currently facing, healthcare companies should consider partnering with cybersecurity solutions and vendors who offer a wide suite of cybersecurity services and tools dedicated to preventing compromises while also providing important resources in case a company is breached or a hacker makes their way in.
The State of IoT Security report
Don’t miss out on exclusive content and exciting announcements!