SIDO Lyon 2024
18-19 SeptemberLyon, France
Expo
IoT & Healthcare: Ensuring Privacy & Security
Roughly 87% of medical organizations have adopted IoT in some way, and there are an estimated 650 million IoT-enabled medical devices in use today. But while new IoT-enabled medical technologies promise improved care and increase successful outcomes with greater consistency, those same technologies create vulnerabilities, leading to new challenges and security risks. A growing volume of highly sensitive medical and personal data is being collected – not taking privacy and security seriously can lead to unwanted and possibly disastrous consequences down the road.
IoT-enabled healthcare is projected to grow by 21% annually over the next five years, putting it ahead of building automation and automotive as one of the fastest growing areas of IoT. This growth is being driven by a number of factors, including technological advancements and the rise of digitization, along with an increase in the overall level of connectivity and myriad innovations in the modern healthcare ecosystem. Connected devices support everything from medication management and remote patient monitoring to wearables and mobile apps. Devices are particularly vulnerable to hacking and it’s not just the app that tracks your daily steps. Hackers are accessing everything from IV pumps to MRI machines.
To put the threat in perspective, there were more than 200 medical hacking incidents in the US in 2019 – a rise of nearly 25% from 2017. Two hundred attacks might not sound like a lot until you look at the number of patient records affected: 11 million. These breaches and ransomware attacks cost the healthcare sector an estimated $4 billion annually and threaten the privacy of every patient involved.
Why hackers love healthcare
Healthcare is a target for hackers for a number of reasons, with the massive amount of electronic data being the biggest one – but certainly not the only one. Healthcare data includes both private health information and financial information, nearly all of which is sensitive and governed by regulations. And as healthcare organizations become increasingly connected, they have myriad overlapping systems, digital touchpoints, and data in transit, all of which are catnip to cybercriminals. Here’s are just some of the reasons why:
Lucrative data
The amount of Personal Health Information (PHI) collected is enormous.
Between 2016 and 2019, there was an explosive 878% growth in healthcare data collection.
In addition to basic information such as name and contact details, PHI can include things like credit card details, personal identification numbers, and medical history. This information can be used by cybercriminals for anything from illegally using someone’s credit card to identity theft or blackmail. Even worse, stolen PHI can be used to obtain expensive medical services, devices, and prescription medication, and even be used to fraudulently gain government benefits. Bottom line is that PHI is extremely valuable on the black market. To put it into perspective: credit card numbers are worth as little as ten cents on the black market or dark web, while PHI can carry a price tag from hundreds to thousands of dollars. Additionally, once data and/or devices are accessed the implications can go far beyond the individual, with whole healthcare systems or even city operations being impacted.
Sub-par security
Lax security standards are not just expensive inconveniences – the disruption caused by a cyberattack puts people’s health, safety, and even lives at risk. Cyberattacks have caused disruption to emergency responses, medical records have been rendered inaccessible or even been permanently lost, surgeries and tests have been postponed, and even building access systems have ceased to work. This has been the result of healthcare organizations either underestimating their security needs or not taking the need for cybersecurity seriously enough.
Broad attack surface
An attack surface is the sum total of possible points an attacker can enter an environment – and due to the sheer number and diversity of systems, medical environments are particularly vulnerable. Hospitals and clinics depend on a wide range of equipment and applications which can be difficult to manage and protect, particularly because healthcare, while needing to be kept private and secure, also needs to be easily accessible and shareable, especially in the case of an emergency. And it’s not just medical devices that are being attacked: today attacks can be simple and generic and go after non-medical devices that happen to be connected to clinical networks, including things like security cameras, game consoles, and laptops, giving attackers an open door into an organization’s data.
Unique communication patterns
One of the biggest security challenges when it comes to IoT-enabled medtech devices is that they have unique communication patterns. Heart monitors communicate with nurse stations, while imaging devices and scanning machines, such as MRIs, communicate with vendors for routine updates or maintenance. Meanwhile, external wearables, such as insulin pumps and blood glucose monitors, collect and relay data to medical centers and healthcare providers. This level of complexity makes it difficult to cover all your bases when it comes to security.
Legacy systems
Many legacy systems in medical centers were never designed to connect to networks, have traditionally weak security controls, and don’t have built-in cybersecurity protocols. Furthermore, many healthcare providers struggle with the challenges of upgrading devices and systems in environments that run 24/7, which can not only disrupt operational flow but also, from a management point of view, hit an organization’s bottom line. Leaving your cyber environment vulnerable to attacks means leaving your organization as a whole vulnerable to unwanted financial blowback from regulatory boards and even patients themselves.
Untrained staff
Medical staff is there to save lives, not worry about data security, but not ensuring that staff is aware of the risks around cyberattacks and the simple steps that can be taken to ward them off is playing with fire. Even in 2020, when the dangers are well-known and widely discussed, an estimated more than 40% of all clinical hospital employees receive little to no cybersecurity awareness training beyond initial education on login access. Additionally, even traditional IT staff are often untrained on evolving security challenges – a recent study showed that 51% of in-house IT management with purchasing power report their team is not fully aware of the variety of cybersecurity solutions that exist.
Lack of funding
When it comes to cybersecurity budgeting and forecasting, there is a lack of reliable historical data. Cybersecurity on this level is a new line item for medical centers, and budgets struggle to evolve in order to cover the true scope of requirements. Often, funds are only allocated after a breach. The good news is that the tide is turning.
Around 70% of healthcare organizations are increasing their cybersecurity budget going into 2021.
How to approach IoT healthcare security
The stakes are high and the challenges complex. The vulnerabilities mentioned above highlight the importance healthcare organizations must place on cybersecurity. While there are still some issues when it comes to security protocol standardization across IoT-enabled medical devices, these continue to be reduced and there are some key steps every healthcare organization can take in order to protect themselves and their patients while bolstering security:
Educate staff
Establish a security culture by implementing ongoing training and education that emphasizes the responsibility every member of staff has when it comes to protecting patient data. Security awareness training equips staff with the knowledge they need to make informed decisions and how to use appropriate caution when handling patient data. New employee onboarding should include training on best practices, including software and operating system maintenance. In other words, make sure they don’t use default passwords and that upgrades are promptly addressed.
Evaluate associates
Healthcare is increasingly transmitted between providers and other entities for any number of purposes, from facilitating payments to delivering care. Undertaking a careful evaluation of all current and potential business associates is crucial to ensuring the security of your patients and your organization.
Encrypt data
Encrypting data so it will be useless to hackers is one of the most useful ways of protecting PHI and healthcare organizations themselves. By implementing encryption, you make it difficult and even impossible for hackers to decipher PHIs. End-to-end encryption will render data basically useless to hackers.
Access management
Access to protected health information should be granted only to those who have a need to view or use the data. Any software, applications, or other additions to existing systems should not be installed by staff without prior consent from the appropriate organizational authority. Data can also be breached when physical devices are stolen, so computers and other electronics that contain protected information should be kept in secure areas. Working with access management is not a one-time thing – rather, it should be seen as a circular and operational activity that is given priority in order to protect your devices and data.
Passwords, passwords, passwords
Use strong passwords and change them regularly.
It sounds so simple, yet research has shown that more than half of data breaches involve taking advantage of passwords that are default, weak, or stolen. Use strong, multi-factor authentication.
Segment the network
Reduce the attack surface by limiting communications between devices to only those that are necessary to maintain services. Continuously monitor device networks in order to identify sudden changes in activity levels that may indicate a breach. There are other alternatives that will also segment your connections further, such as using different access points and routes, and combining those to make your set both safer and more redundant. Transfer from A to B is easy – but it’s not always the most efficient way of doing things. It’s important to understand how redundancy and route segmentation can make a big difference.
While all industries must take IoT security seriously, it is of critical importance when it comes to healthcare, particularly as we prepare for a post-Covid world, where remote care will be much more widely accepted. Healthcare may be among the fastest growing industries implementing IoT, but it is also at the top of the list of industries at risk of cyberattacks. Taking the security of your solution seriously is imperative.
If you would like to learn more about how we can help you secure your IoT solution, please get in touch.
Private APN fact box
| Service | Private APN | Private APN with IPSec VPN | Private APN with Private Interconnect |
| Transferring data securely | + | ++ | +++ |
| Industry | N/A | ++ | +++ |
| Scaling of data transfer capacity | + | ++ | +++ |
