Securing IoT in Healthcare is Critical

In 2012, a fictitious U.S. vice president on the television show “Homeland” had his pacemaker hacked. In 2013, former Vice President Dick Cheney told “60 Minutes” that after he watched the show he instructed doctors to disable the wireless capabilities in his actual pacemaker.

Cheney might seem a little paranoid, but last year the FDA recalled 465,000 pacemakers, citing security vulnerabilities. More recently, the list of hacked medical devices expanded to include ventilators, infusion pumps and defibrillators.

Healthcare is already a top target of hackers, and the Ponemon Institute estimates data breaches cost the healthcare industry $6.2 billion last year. The reason that healthcare is such an inviting target is simple: money.

“Healthcare data is more valuable than credit card data,” says Bindu Sundaresan, practice lead at AT&T Security Consulting.

If your credit card is stolen or compromised, you can get a new card with a different number. But an Electronic Health Record (EHR) is a goldmine that includes your credit card information, your private medical information, and personal information like birth date, address and Social Security number.

While credit card numbers sell for pennies on the dark web, stolen medical ID cards sell for at least $1 and medical profiles start at $5 each, according to a recent report from Trend Micro.

The IoT effect

Between connected devices inside healthcare facilities and connected devices inside patients, the total number of IoT devices is exploding, creating new attack vectors for cybercriminals and new headaches for healthcare CSOs.

We’ve already seen IoT healthcare devices hijacked and used for botnet attacks. IoT devices are not only a way for hackers to gain access to a hospital network, but also to attack connected networks, like a pharmaceutical company. And then there’s ransomware: One recent report found that 45{0c9eaed65e39ec280a4f7a28d16f27c0a279cd1ff8c940ccbc196d3de05b887b} of all ransomware attacks in 2017 were in the healthcare sector.

The challenge is daunting, but there are approaches that healthcare organizations can take to help protect their IoT infrastructure. The key for CSOs is to make the case that IoT security is not just about the confidentiality of records, it’s about the quality of patient care.
IoT security checklist

In many cases, healthcare practitioners don’t realize that the medical device they’re using is vulnerable to attack. So, a good first step is awareness.

The next step is assigning responsibility. What happens when something goes wrong? Who calls the manufacturer? Who calls IT?

Since a typical healthcare operation will have legacy devices that were likely deployed with no security considerations, CSOs need to take an inventory to determine the current state of device security and then to come up with a plan for how to deal with legacy devices. Patches and firmware upgrades need to be applied on a consistent basis.

When it comes to new IoT devices, CSOs must insist that every connected pacemaker and insulin pump is treated the same way as a desktop or laptop computer in terms of device-level security.

From a networking perspective, healthcare organizations need to deploy segmentation to make sure that traffic from IoT devices is partitioned from sensitive information like health records.

And while there are currently no specific standards for IoT security, NIST does have a cybersecurity framework that CSOs can refer to.

AT&T offers guidance and specialization to assist enterprises with shoring up defenses and developing an IoT and healthcare security strategy. Find out more at AT&T IoT security.

Original article by Neil Weinberg

This post was curated with edits by Gordon Fletcher,

Principal Consultant(Engineering & Mobile Technology)  at Compumagick Associates can be reached at, @compumagick

Leave a Reply

Your email address will not be published. Required fields are marked *