Check Point IoT Blog Series: First, Do No Harm. Securing Healthcare IoT Devices

“When a hacker takes control of all networked medical devices at a hospital in Dallas and threatens to kill one patient every hour if his demands are not met, the Cyber team must find the source and figure out how they accessed an airtight security system.” That’s the plot summary of an episode of crime drama CSI: Cyber, which was broadcast in late 2015.

The episode proved to be prescient by predicting two attack trends that have emerged over the past 18 months. The first is targeting of hospitals by cybercriminals: in 2016, at least 14 hospitals were attacked with ransomware. A Los Angeles hospital reportedly paid $17,000 to regain access to medical records showing treatment history, results of X-rays, CT scans, and other medical tests. Earlier this year, the UK National Health Service was severely impacted by the WannaCry ransomware attack, resulting in operations being cancelled and hospital wards closing. After all, hospitals run some of the most mission-critical IT in the world – making them a prime target for malicious hackers looking to make costly demands.

The second trend was the hacker exploiting vulnerabilities in smart devices in the hospital to enable the attack. The CSI:Cyber team discovered that the hacker originally got access to the hospital’s network through a smart TV (Check Point’s researchers discovered a very similar vulnerability shortly after the show originally aired), enabling him to remotely control the connected medical devices.

Lifesaving innovation, limited security

The risks of attacks like this cannot be easily dismissed. The healthcare sector has embraced the Internet of Things (IoT) enthusiastically, with one estimate valuing the global IoT healthcare industry at over $100 billion by 2020.

On the one hand, it’s easy to see why. Smart devices have huge lifesaving potential: they collect and analyze health data that was previously inaccessible; they enable healthcare practitioners to rapidly and remotely deliver personalized advice and treatment;. The combination of big data and machine learning within the IoT will mean more innovations in healthcare than ever before.

On the other hand, this proliferation of connected technology has worrying implications for the integrity of sensitive patient data and the smooth running of healthcare organizations.  Healthcare IoT devices need to be able to protect the data they collect, transmit, and store from malicious interception/That means that if they have not been designed and manufactured with robust security ‘baked in’ from the ground up, they are vulnerable.

Unfortunately, this often happens because medical devices that are approved by Food & Drug Administrations may need to be re-certified for use after an update – adding considerable expense and delay to the update cycles, even when there are vulnerabilities present, and hence many devices stay vulnerable many years after the relevant security patches have been issued and implemented in other environments.

Assessing the risks

So just how vulnerable are health IoT devices to attack? To assess this, it’s important to distinguish between the different types of device available, and their intended uses.

There are wearable medical devices, both external equipment such as insulin pumps, and implanted devices like pacemakers. It’s easy to see how a lethal intervention could be done remotely by controlling the device – this could be done directly and deliberately, or simply threatened as part of an extortion attempt.

Then there are stationary devices within hospitals, such as intelligent pharmacy dispensers or chemotherapy stations. Once again, the possibilities for cybercriminals to interfere with patient care – to potentially life-threatening levels – by hacking into the device are worrying. The same data pathways that allow doctors to make adjustments to how the devices perform can also be used maliciously, if the hacker is able to gain access. As mentioned earlier, it is possible to gain access to the networks used by medical devices by infecting another device – such as a smart TV or tablet PC – and moving laterally within the hospital’s networks… unless those networks are carefully segmented.

Diagnosis and remedy

All this might seem to paint a grim picture. But there are many ways in which the designers and manufacturers of healthcare IoT devices, as well as the organizations and individuals that deploy them, can mitigate these risks.

First, ‘privacy by design’ – which, incidentally, is also necessary for any organization subject to the upcoming EU GDPR – should be integral to the design of all healthcare IoT devices. Similarly, a Secure Software Development Lifecycle (S-SDLC), which incorporates threat modelling, should be adopted by all manufacturers as a matter of course.

And second, when healthcare organizations begin building an IoT ecosystem, they must ensure that they have an appropriate mobile and endpoint security system in place. An integrated approach, which ensures that all devices are protected with a single security architecture, is the best strategy. Such a solution needs to cover aspects such as device discovery, network segmentation and provide protection against the potential multiple advanced attack vectors based on threat prevention solutions. All of the above aspects should be centrally orchestrated with a single platform that provides coherent policies across the varius network segments

The Internet of Things can be a lifesaving shift in how the healthcare sector delivers patient care,but it can also be an open invitation to malicious cybercriminals who wish to extort payment, steal data, and cause actual harm. Designers, manufacturers, practitioners, and patients need to work together to keep this new landscape in good health.