The Dismal State of Healthcare IoT Security

The healthcare industry has been moving toward medical equipment connectivity to speed up data entry and recording, as well as improve data accuracy. At the same time, there has been a shift toward incorporating consumer mobile devices, including wearables, so that healthcare providers can monitor patients’ health more closely and improve treatment.

“The demand for connected devices has increased rapidly in recent years,” noted Leon Lerman, CEO of Cynerio.

“The number of connected medical devices, currently estimated to be approximately 10 billion, is expected to increase to 50 billion over the next 10 years,” he told the E-Commerce Times.

Worldwide, consumer interest in smart wearables — those from Apple, Fitbit and various fashion brands — has been growing, according to IDC.

Wearables sales in Q1 exceeded 25 million units. Sales of smart wearables in that period were more than 28 percent higher year over year, while sales of basic wearables fell by about 9 percent.

The smarter devices from major brands such as Apple and Fitbit incorporate more sensors and improved algorithms, and have access to historical underlying data, noted Jitesh Ubrani, senior research analyst for IDC mobile device trackers, which makes them useful for monitoring user health.

Wearable makers increasingly have been incorporating cellular connectivity into their products, leading to the emergence of new use cases. About one third of all wearables sold in Q1 included cellular connectivity.

Apple has been pushing deeper into healthcare with the Apple Watch, which connects wirelessly with an iPhone.

Fitbit has partnered with Google on a range of enterprise and consumer health solutions.

Further, medical equipment manufacturers increasingly have been incorporating connectivity into their products.

However, connecting wearables to networks comes at the cost of increased security risks.

Threat Landscape

“With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential devices is great,” Cynerio’s Lerman noted.

Such devices range from MRI machines to insulin pumps, and “the sheer number of devices in a single hospital also means that staff are often unaware of threats, so breaches can go undetected,” he pointed out.

Network-connected medical devices “promise an entirely new level of value for patients and doctors, but they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” Kamaljit Behera, healthcare industry analyst at Frost & Sullivan, told the E-Commerce Times.

Last year, 75 percent of healthcare organizations experienced a cybersecurity incident, noted Frost & Sullivan healthcare industry analyst Siddharth Shah.

Attitudes toward cybersecurity have been mixed, however. Seventy-one percent of healthcare organizations polled by Frost have allocated a budget for cybersecurity, Shah told the E-Commerce Times.

However, based on the firm’s research, 53 percent of healthcare providers and 43 percent of medical device manufacturers “do not test their medical devices for security, and few are doing anything about being hacked,” he said.

“Some improvement” in cybersecurity is expected this year, Shah said. The healthcare industry “is gradually moving from a reactive approach to a proactive one, but there’s still lots to be done.”

Hospitals’ IT security budgets are relatively low, Lerman pointed out. So, hospitals “have a relaxed security posture, with unsecured connected medical devices being the golden ticket for hackers.”

Patient data is “valued at approximately 10 times the value of a standard credit card,” he remarked.

The lure of riches has spurred hackers’ creativity, observed Sean Newman, director of product management at Corero Network Security.

“Evidence of continued cybercriminal investment and innovation … reinforces the need for organizations requiring continuous Internet availability to deploy the latest generation of real-time, automatic DDoS protection solutions,” he told the E-Commerce Times.

There already are cybersecurity frameworks in use at hospitals, Shah said.

Further, the United States government has been working to improve the situation: The U.S. Food and Drug Administration has published a medical device safety action plan, for example. It also collaborates with the U.S. Department of Homeland Security on medical device cybersecurity issues.

Wearables Are Low Risk

The risk from wearables is low level, “assuming the healthcare entity is segmenting the data flow from remote personal healthcare devices into a separate data repository and not their electronic health records,” said Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.

That’s the “more likely architecture” to be adopted for both analytics and security purposes, he told the E-Commerce Times.

The increasing trend toward consumerism in healthcare has given rise to a new debate, said Frost’s Behera, over whether to make individuals the actual owners of their data, with sole access control to promote interoperability.

“It’s a great vision,” said Behera, “but the bigger question is, how well are individuals prepared, equipped and educated to protect access to their health data on their smartphones or their home Internet networks?”

A Possible Healthcare Security Strategy

Each device maker implements its own security solutions, and the medical device industry “is struggling to take what they’ve learned and apply it,” noted Rod Schultz, chief product officer at Rubicon Labs.

What’s needed is a paradigm shift, he told TechNewsWorld.

Every connected medical device maker should not attempt to reinvent the cybersecurity wheel, Schultz said. Instead, they all should rely on mobile phones, which are “the natural cornerstone of security for a connected medical device.”

Finding a way for mobile phones to do as much of the heavy cybersecurity lifting as possible “will work — but will require device makers to concede and cooperate with Apple, Google, Microsoft and Amazon,” he pointed out.

“Standardization may eventually spin out of this,” Schultz suggested, “but in the short and medium term, looking for a halo of security from the biggest mobile device and cloud providers seems like a viable security strategy.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.

You Might Also Like