Guest Column | June 28, 2016

IoT And Healthcare: Is Your Body The Next Target For Hackers

Mike Baker, Founder and Principal at Mosaic451

By Mike Baker, Founder and Principal at Mosaic451

Healthcare cybersecurity primarily focuses on protecting breaches of patients' private medical data and, more recently, on preventing ransomware attacks that can lock health professionals out of their systems and make electronic medical records inaccessible. However, as wearable and implantable medical devices are developed and grow in popularity, another concern arises: the potential for hackers to actually attack the body of patients.

The Internet of Things (IoT) — the massive network of devices, cars, and even buildings connected to the internet — is exploding in popularity and has been called "the next Industrial Revolution." Smart homes equipped with smart thermostats, with smart cars in the garage, and smart TVs in the living room are being embraced by consumers. According to Business Insider, it is estimated 24 billion IoT devices will be installed by 2020, and $6 trillion will be spent developing IoT technology over the next five years, including millions of healthcare devices.

Wearable and implantable IoT healthcare devices, from pacemakers to insulin pumps to monitors, are set to fundamentally change the way healthcare is delivered. The world IoT healthcare market is growing rapidly; Allied Market Research predicts it will reach $136.8 billion by 2021, up from $60.4 billion in 2014.

The Ransomware Threat To IoT Medical Devices

Up until now, cybersecurity has been focused on computers and the networks they are connected to. However, the rapid proliferation of IoT devices is quickly redefining the definition of a "computer," and all of them are connected to the Internet. IoT devices tend to have weaker security protections than regular computers — including hard-coded and widely known passwords — and unlike computers not all devices are easily patched or updatable. Additionally, there are many IoT device manufacturers and the devices are sold through different channels; there are no common controls regarding passwords, encryption, or other security measures, and no "chain of custody" controls tracking who has handled the device or when.

These vulnerabilities make IoT devices attractive targets. Cybersecurity experts recently examined the popular Nest smart thermostat and Ring smart doorbell, demonstrating how both could be compromised and used as entry points into a home network. While no reports of actual breaches involving either product have been reported, and Ring's manufacturer addressed the reported flaw with a firmware update, IoT security is still a matter of great concern, especially as IoT medical devices proliferate.

If a connected doorbell or thermostat can be breached, why not a smart pacemaker or insulin pump? If a vulnerability exists, and there is potential to make money off it, hackers will ultimately decide to take advantage of it. It's not a matter of if but when.

Recently, the healthcare industry has come under attack from ransomware, which hackers use to breach a system and render it inoperable until the victim pays a ransom. In February, Hollywood Presbyterian Hospital paid hackers a $17,000 ransom to regain access to patient medical records and other critical data after being locked out of their system for a week; a move some experts feel emboldened hackers by demonstrating hospitals will pay up rather than risk the lives of their patients. The next logical question is, if a healthcare facility is willing to hand over tens of thousands of dollars to get back into its electronic health records, how much would patients be willing to pay to keep their insulin pump or pacemaker working?

This scenario isn't outside the realm of possibility. By locking medical providers out of patient medical records, hackers have demonstrated they have no qualms about putting the lives of innocent people at risk. In one hypothetical scenario, the hacker would begin draining an IoT device's battery and demand that the patient pay a ransom before the battery (and the patient) dies. Batteries can be drained so quickly that the victim would not have time to have a replacement device implanted.

The only hurdle hackers need to overcome is how to get their ransom demand to the victim. On a computer, the demand is usually displayed in a pop-up window. However, if the hacker has managed to break into an individual patient's medical device, they may have already determined that person's email address and cell phone number, to which the ransom demand could be sent.

How Can The Healthcare Industry Protect Patients From IoT Attacks?

The first step is to create a culture of awareness where cybersecurity is taken seriously. The healthcare industry has lagged in this regard for numerous reasons, one being that healthcare providers often feel that their only job is to treat patients, and that information security is something that only IT personnel must worry about. However, as ransomware attacks on electronic health records has already shown, and as the looming threat of attacks on implanted patient devices illustrates, information security is just as important to patient treatment as sanitary practices and ensuring patients are getting the correct medication doses.

IoT device manufacturers also need to begin taking the security of their devices seriously. Industry leaders must work together and in public-private partnerships with government security experts to set security standards, best practices, and common controls, as well as make IoT devices easier to patch and update. Healthcare industry leaders must put pressure on device manufacturers and push them in this direction.

One way to prevent breaches is for healthcare providers to continually monitor system activity to establish a baseline pattern for users. That way, if any activity occurs that deviates from normal patterns — such as a user attempting to access a system at a highly unusual time or from a completely different area of the country or world — the system can require further authentication before allowing the user to proceed. Such monitoring takes a lot of time, a high level of expertise, and highly specialized hardware and software. Most healthcare facilities do not have sufficient in-house resources to perform these tasks on their own, so it's a good idea for facilities to partner with a reputable managed security services provider (MSSP). An MSSP can not only provide cyber security experts both onsite and offsite, but also the highly specialized software and equipment needed to monitor systems, perform behavior analysis, and respond to potential breach attempts immediately.

IoT devices have the potential to greatly benefit both patients and health professionals. Wearable and implantable devices will make it easier for doctors to monitor and even treat patients remotely, which means that patients will spend less time in hospitals and other health facilities. The massive amount of data generated by IoT healthcare devices could help researchers develop better and more effective treatments that will help patients live longer, healthier lives. The healthcare industry cannot sit back and wait for a breach to happen; proactive measures can and must be taken to protect patients' lives and ensure that IoT technology continues to innovate and develop.

About The Author
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.