By, Mitchell Muro, Product Marketing Manager
Register now to learn how Heritage Health Valley Systems tightened their IoT security after a cyber attack
Healthcare has always been on the cutting edge, with hospitals and healthcare providers typically quick to embrace any innovation that will translate into better, more efficient, more affordable care. From microscopic pill cameras and implantable devices to laser surgery and advanced monitoring techniques, medical technology is all about creating the best possible patient outcome.
But when it comes to the latest wave of innovative products, powered by always-on, always-connected internet of things (IoT) technology, there are growing concerns that security issues may eventually harm medical institutions or the patients themselves.
This post will first explore some of the ways IoT is revolutionizing medical care, then identify some of the potential problems posed by connected devices in a medical setting. Finally, we’ll explore some best practices for the safe, secure use of these devices—so you can focus on providing care without worrying about security.
The Importance of IoT to Medicine
Some estimates predict that the global IoT market will grow to $534.3 billion by 2025. The approximately 646 million IoT devices currently in use within the healthcare field include three primary categories:
- Wearable devices (wearables) are familiar to anyone who’s ever worn a smart watch. But today’s technology goes much further, including devices like ultra-light wearable biosensors that keep tabs on patients and wearable blood glucose monitors that help keep diabetics healthy.
- Implantable devices include any devices that are inserted into the body, including smart pacemakers, insulin infusion pumps, and defibrillators.
- Other devices used in the healthcare setting range from security cameras to thermometers and smart pens that are communicating patient data to and from healthcare records systems.
Beyond devices specifically intended for medical applications, most hospitals and other healthcare facilities are also benefiting from the types of IoT devices found in other enterprises:
- Smart office equipment like badge readers, cameras, and routers
- Smart building infrastructure like connected elevators, HVAC, and more
- Personal devices brought in by employees that can access the hospital’s network
Obviously, IoT devices are doing a world of good in medical settings. They’re giving patients more freedom and ensuring better compliance by simplifying treatment and monitoring. They also provide the kind of continuous monitoring and analysis of medical data that would be impossible without technology. Plus, they give healthcare providers instant access to up-to-date information so they can provide better care and achieve better outcomes.
Since the emergence of COVID-19, in particular, the convenience of connectivity has proven itself over and over. At the time the pandemic hit, organizations that were not highly connected had to scramble to catch up, both to deal with the COVID patient load and to provide remote services and relieve overburdened healthcare providers.
Still, for any enterprise—medical or otherwise—every single smart device on your network also introduces a certain degree of risk. The challenge for every single healthcare organization in the world right now is figuring out how to get the most patient-care benefit out of IoT technologies while reducing this risk—ideally all the way to zero.
IoT Devices: Risk Factors
What makes it so risky to allow IoT devices on your network?
Certainly, every device using the network increases what’s known as the “attack surface.” But while this vulnerability is easy to control for most devices (phones, computers), the situation is not so simple with IoT devices. Here are a few reasons why this technology poses a greater security risk:
- Unlike mainstream endpoints like Windows computers or Android phones, IoT devices are not designed with security top of mind (they’re usually unattended and unmanaged).
- Up to half of connected devices, like ultrasound and MRI machines, run on legacy operating systems that are no longer supported or maintained—meaning zero security support or patches are available for them.
- There’s no certification and standardization for cyber security in medical devices. (Which is ironic considering that medical device safety is one of the strictest areas of regulation around the world.)
- If you’re like most organizations, you’re using a hodgepodge of devices, making it almost impossible to manually inventory every single device and keep track of what it’s doing.
- IoT devices lack standardized interfaces and controls, so it’s nearly impossible to create a uniform security policy, upgrade software, or even implement strong passwords without a solution specifically designed for IoT security.
For all these reasons, it can be very easy for hackers to compromise IoT devices in a medical setting.
Anatomy of an Attack
So what happens when hackers are able to breach a hospital or other medical facility? They usually follow a standard procedure:
- Step 1: Compromise the IoT device as the weakest link in the healthcare network.
- Step 2: Access any data on the device itself and intercept its communications.
- Step 3: Move laterally to other computers and devices within the network, taking advantage of known vulnerabilities.
- Step 4: Steal confidential medical information, or attack mission-critical functions—or both.
Obviously, the prospect of any attack is completely unacceptable. And the cost of an attack, in terms of the impact on both financials and patient care, can be staggering:
- Lost services: A November 2020 attack on the University of Vermont Health Network led to chemotherapy and mammogram services being shut down.
- Ransom payments: Hospitals spend an average of $430 per patient record to retrieve leaked information.
- Overall costs: In 2019, the average cost of an IoT-focused cyber attack on a healthcare organization was $346,205.
Beyond these, a growing range of privacy and compliance standards can also add steep fines if you fail to provide an adequately secure environment.
In some cases, the vulnerability of these devices is truly shocking. For instance, to demonstrate the risk involved with IoT devices, one woman actually hacked into her own pacemaker. She now says, “We have to make the manufacturers (…) aware that this is something they should be concerned about (…) to really make sure that systems are secure.”
Mediating the Risk
IoT devices are definitely the weakest link in your healthcare IT network. And as we’ve seen, the greater the attack surface, the greater your vulnerability. The more devices are connected, the more doors hackers have into your network.
However, since IoT devices are here to stay—and are such a tremendous help to patients and healthcare professionals alike—you need to be aware of how to use them safely in a healthcare setting.
Here are three best practices to make sure you stop hackers in their tracks:
- Maintain full visibility. A comprehensive cyber security approach can only begin when you’re fully aware of ALL devices accessing your network. Many organizations are still relying on manually updating and identifying devices. This may work for traditional servers and workstations, but it can’t keep up in the face of IoT, which demands an automated solution for full coverage.
- Mitigate vulnerabilities. Patching and real-time threat intelligence are the core of any security program, and most organizations have a patching program in place. Yet most IoT devices make it nearly impossible to keep up to date, and if you’re relying on software updates to stay safe, you may be missing key vulnerabilities. A solution that delivers firmware upgrades gives you the best odds of success.
- Zero-trust network segmentation. As we saw above, lateral movement means that once hackers are inside your network, they can often move freely, targeting certain devices such as mail servers, either to wreak havoc or access secure information. Look for tools that simplify network segmentation to wall-off secure areas based on zero trust, granting access only for legitimate business needs.
Experts are beginning to sit up and take notice of the risk inherent in storing and transmitting healthcare data. Looking at the massive growth of telemedicine during the COVID era, a 2021 PWC report called on healthcare organizations to “boost their cybersecurity efforts.”
As that report stated, “The more people use telemedicine, healthcare apps and remote monitoring devices, the greater the number of potential entry points for cybercriminals seeking to steal patient data or launch ransomware attacks.”
In addition, IoT cyber security legislation will soon be coming into effect in jurisdictions worldwide. Taking steps now to mediate risk will put your organization in a better position when proper IoT security is mandated by law. Because when it comes to healthcare, tighter IoT security is literally a matter of life and death.
Conclusion: Stopping Hackers in Their Tracks
Managing the sheer number and variety of IoT devices can be overwhelming. And of course, your organization is probably using a range of non-healthcare-specific IoT devices as well.
Check Point’s Quantum IoT Protect is designed to work with all your connected systems. When you roll it out, Quantum IoT Protect starts working right away to…
- Automate discovery. Minimize your attack surface with full visibility and control over all devices.
- Initiate monitoring. Stop malicious IoT traffic on your network with security monitoring and real-time dynamic threat intelligence.
- Isolate compromised devices. Limit the potential for damage with security gateways and network segmentation.
And with Quantum IoT Protect, you can accomplish all of this through a single simple interface, without having to grapple with a vast range of IoT devices, hardware, and software.
As a healthcare organization, you’re committed to providing the most efficient, effective patient care. When lives are on the line, Check Point’s Quantum IoT Protect gives you the latest and most innovative tools to keep your entire organization safe.
Discover how Check Point can help you achieve a safe and secure IoT environment for your healthcare organization and learn more best practices you can implement to improve cyber security for healthcare IoT.
Find out which devices are currently connected to your network and their associated risk with a free IoT Security Checkup.