IoT Security in the Healthcare Industry

In October 2020, the University of Vermont Health Network was targeted by a ransomware attack that disrupted six hospitals’ operational capabilities. The attack caused applications like phones, emails, and patient records to be shut down. It also affected the patient portal used to schedule appointments and access patient data, causing delays in appointments, important treatments, and procedures. To prevent further damage, hospital IT staff immediately shut down all systems.

It was found that malware was placed on more than 5,000 hospital devices and that data was encrypted on 1,300 servers. All affected systems were then cleaned and rebuilt, and data was restored.

Following the incident, 300 employees were either furloughed or reassigned. Moreover, while there was no ransom demand, the hospital still lost $1.5 million per day in revenue and expenses. 

Here, we will look at the role of IoT devices in healthcare and the cyber risk that comes along. 

Current trends – IoT in the healthcare sector

There are currently more than 646 million IoT healthcare devices in use. IoT has delivered numerous benefits to the healthcare sector: increased productivity, streamlined function, seamless patient care, more accurate diagnoses, and so on. Research shows that the global IoT market in this sector will reach $332.67 billion by 2027. 

However, as this industry becomes more technologically advanced, the frequency and sophistication of cyberattacks grow in parallel. Cybercriminals see healthcare organizations as a huge bounty for their malicious agenda and it has only gotten worse since the start of the pandemic. In fact, 82% of healthcare organizations have experienced a cyberattack on at least one of their IoT devices.

Cyber vulnerabilities of IoT in healthcare

While IoT devices offer numerous benefits to the sector, they do add an extra layer of possible entry points for cybercriminals. These risks have to be analyzed and mitigated accordingly. 

• Medical IoT devices often contain and work with highly sensitive patient data and credentials, which are highly valued on the dark web. This makes them especially appealing to cybercriminals.

• Most IoT devices are made to execute their intended actions. Cybersecurity is not a priority.  
• Connected devices often operate on legacy systems that cannot be updated or upgraded. This makes them highly susceptible to breaches.
  
• Many healthcare institutions do not employ network segmentation on devices. As such, a locally introduced device could potentially access sensitive medical data even if it does not have the authorization. Threat actors can use this vulnerability as an entry point to launch attacks.
  
• Many IoT devices lack a strict password management system. Users often make the mistake of keeping a device’s factory settings, including its default password; or they assign a weak password to a device; or the same password to multiple devices.
  
• Healthcare organizations sometimes fail to patch vulnerabilities to the latest cybersecurity requirements – especially when it comes to firmware and hardware. Cybercriminals often exploit vulnerabilities in these components to install malware to launch larger attacks. Moreover, it is a large safety issue as it can lead to the malfunctioning of connected healthcare devices.
  
• Last but not least, some organizations fail to physically secure their IoT devices. Cyberattacks do not always happen remotely. If the physical access to devices is compromised, chances are that the rest of the network will get compromised.

Some of the most common cyber attacks on IoT in healthcare include ransomware attacks, malware, botnets, DDoS (Distributed Denial of Service) attacks, and social engineering.

What can be done to improve cybersecurity? 

As IoT technology becomes increasingly commonplace into the healthcare sector, your organization should take necessary steps to ensure that these devices are secure and operate with minimal risk.

1.  Educate your employees on how to operate IoT devices efficiently. Raise awareness about the dangers of unchecked vulnerabilities and the possible cyberattacks that may occur as a result. Conduct regular training and testing to ensure that your employees are aware of the cyber safety protocols to be followed.
   
2. Maintain a strict inventory of all connected devices in your organization’s network. This includes knowing their location, the status of their function, and their patch management process. They should also be regularly screened for risk assessments.
   
3. Update all firmware, hardware, software, and programs to the latest security patches, eliminating vulnerabilities that cyber attackers could use to their advantage. Additionally, invest in endpoint detection programs (EDR) and mobile device management (MDM) to reduce the security risks that come with these connected devices.
   
4. Network segmentation is key to ensuring better security and easier management of connected devices. When a network is split into subnetworks, it allows for traffic to be split into external (or guest users) and internal (or authorized users). 
   
5. Implement the usage of strong passwords on all your organization’s connected devices. Additionally, employ encryption tools, multi-factor authentication, and employee credential checks to prevent unauthorized access. Security solutions like PKI (Public Key Infrastructure) are ideal for transferring information between devices while minimizing the risk of cyberattacks. However, the most effective way to minimize risk is to switch to a zero-trust architecture where every user, IoT device, and every request must first be verified before being granted access.
   
6. Monitor user activity on all connected devices in your network to ensure that there is no suspicious activity. Similarly, monitor network traffic for high traffic volume or malicious packets.