No matter where you get your news, you’ve no doubt heard about incredible tech advances in healthcare. From accessing data on an app to receiving instructions from medical personnel on a smartwatch or smartphone, the Internet of Things, or IoT for short, is making a significant impact on the healthcare industry. But is the impact entirely positive?
Thanks to IoT in healthcare, patients, doctors and administrators can see a granular view of everything from a patient’s health to all facets of hospital administration. This results in improved efficiency, accuracy, and economic benefits. And in rural areas, this results in the need for less human intervention, where there are few doctors and even fewer specialists.
According to Scott Gnau, CTO of Hortonworks, “Consumer-facing IoT will have a remarkable impact on the way we live, work and communicate – with each other and devices. Imagine a diabetic with a blood glucose monitor that connects to their phone, that sends the information to their primary physician, that records that ping to an online portal to better manage levels and the impact on that individual’s healthcare experience.”
But with these improvements, there’s also risk. IoT’s risk affects both security and privacy. The increase in connected devices and the use of cloud resources have created a situation where hackers and cybercriminals have more attack vectors. You can bet that bad actors will attack cloud providers with the intent to take down multiple organizations at once, thus increasing the scale of attacks with little effort (a DDoS on a massive scale). Think of the scope of damage in a medical setting like a large hospital.
Experts estimate that the IoT will consist of 30 billion objects by 2020, and most will be Internet facing with the cloud for data storage and data analytics. And from an enterprise’s perspective, to cut costs, some small-to-midsize hospitals may go to an XaaS (Everything as a Service) model, which will create an even larger number of attack vectors.
However, privacy, security, passwords, and encryption are understood in the healthcare industry thanks to two pieces of legislation: the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which strives to stimulate the adoption of electronic health records (EHR) and supporting technology, and the Health Insurance Portability and Accountability Act (HIPAA)of 1996, which provides data privacy and security provisions for safeguarding medical information. All in the healthcare industry are well aware that penalties and fines can occur if patient data is not protected.
On the black market, a stolen credit card number may be worth 25 cents, and a social security number may be worth 10 cents, but a medical health record could be worth hundreds or even thousands of dollars. Medical records contain ALL an individual’s demographic data including residential and professional addresses, names of family members, historical medical history, medical insurance history, and credit card information. This is the most comprehensive account of information about you, and as a result, it’s a treasure trove for cybercriminals.
Hospital IoT can be attacked through many vectors. There is the inside threat that may be accidental or through malicious intent. There is the malicious outsider who may attack by either jumping on an internal network using social engineering or through brute force, and there are websites, such as Shodan, which are a one-stop shop for anyone looking to find Internet facing IoT devices.
The information available on Shodan can give bad actors access to passwords, usernames, and potential vulnerabilities of any devices found that are Internet facing. And that’s not just IoT. This also includes industrial control systems, SCADA (supervisory control and data acquisition) systems, databases, and any other Internet facing device as well. If something can be accessed through the Internet, hospital IT staff must lock it down.
The problem with IoT devices is that manufacturers don’t have the resources, money or personnel, to keep up with firmware and software updates. Some devices may be legacy and do not have the ability to be updated frequently as vulnerabilities are found. Unlike major software and hardware developers, most companies that manufacturer IoT devices think about security as an afterthought, or not at all, or set generic default passwords.
So, the bottom line is that, today, not some random day in the future, it’s up to the IT department in each hospital to make sure strong passwords and encryption protocols are used for ALL devices and software that are on their networks and face the Internet.