Healthcare IoT in Critical Condition
The sorry state of healthcare IoT has been diagnosed—are we willing to do what it’ll take for the cure?
There’s no slowing the healthcare IoT market. Consider the Market and Markets report IoT Healthcare Market by Components, Application, End-User—Global Forecast to 2020, that found the global IoT healthcare market estimated to reach $163 billion by 2020, up from $32 billion last year. That’s a blistering 38 percent annual growth rate.
That rapid growth is happening for good reason. Connected medical devices and the data they collect for medical analysis have the power to not only improve healthcare, but transform how healthcare is delivered. And it promises to do so while also cutting costs through more effective and efficient care. But as with anything else, the benefits do not come without risks.
When Hacks Mean Life or Death
Many of these risks resemble the security risks that face our personal and business-technology systems today—from distributed denial of service attacks, data theft and manipulation, ransomware, and so on. But instead of data services being blocked, or access to critical data being extorted, the impacts of healthcare IoT attacks can literally be life threatening.
Another risk is the loss of data privacy. It’s one thing to have credit cards compromised and replaced, it’s another to have one’s medical history splattered onto the Internet for all to see forever. As soon as this kind of information is out, there’s no putting it back. Medical devices will also be popular targets—simply because of the magnitude of the impact when such devices are compromised. Medical devices and healthcare IoT have it all for potential attackers and criminals: financial gain, high impact for hacking—potentially life or death, and substantial media attention when successful.
“It’s one thing to have credit cards compromised and replaced, it’s another to have one’s medical history splattered onto the Internet for all to see forever.”
— George V. Hulme, business technology writer
Think medical device hacking is all hype? Consider a report published last year from cybersecurity firm TrapX. In its report Anatomy of an Attack, MEDJACK (Medical Device Hijack), the firm analyzed three actual hospital attacks where the attackers used medical device hijacking (MEDJACK) as part of their infiltration path. In the three hospital attacks examined, the firm found substantial compromises within medical devices including Picture Archive and Communications Systems (PACS), Blood Gas Analyzers (BGA), and X-Ray equipment.
“There are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart/lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more,” the report said.
These types of attacks don’t only hit the devices—which is concerning enough. They also can be used as springboards to launch broader attacks into the hospitals.
“Our research has told us that when compromised, a simple blood gas analyzer can become the pivot point to support an extended and continuing enterprise-wide attack. Recognize that a pivot attack begins with the reconnaissance process. Attackers begin by looking for the weakest asset in the network for persistence,” the report stated.
The Pros Outweigh the Cons
Could security risks associated with healthcare IoT would slow healthcare IoT adoption down? Probably not. Just as was the case with eCommerce, online and mobile banking, online payments, and mostly everything else that arose in the digital age—security risks don’t stop adoption. Concerns may slow it down from time to time, but only slow down the speed of the acceleration of adoption, not a pause in adoption. And the forward path will be greater and greater adoption.
The benefits are just too great. Increased health, improved diagnostics from remote monitoring, more swift diagnosis of changing conditions. All of these benefits will outweigh the risks of data breaches and potential malfunctions. But that doesn’t mean that the industry shouldn’t do its best to secure IoT. Quite frankly, just the opposite: enormous pressure must be on the industry demanding secure medical devices and healthcare IoT. Getting the industry and regulators to care enough is a buyer beware and consumer awareness issue—it’s going to the users of this technology to demand it. If not, it’s not going to be done.
Industry Change Not Enough
The healthcare industry has been slow to wake up to the dangers. But it has wakened in the past year. For instance, the FDA is the agency that regulates medical device safety. But regulations move more slowly than technology. In Oct. 2014, the FDA issued cybersecurity guidance on premarket device submissions. The FDA guidance “encourages” manufacturers to build their healthcare devices with security in mind. This is a good place to start.
But by waiting for regulators to do what needs to be done, it will be too late to remedy a bad situation. Too many of these devices will be installed. There will be poorly secured integrations and APIs. As soon as these are in place, healthcare IoT will have structural security challenges that could persist for decades. That’s not good enough. To ensure healthcare IoT is secure and designed to be rugged enough for public safety—healthcare providers, insurers, and others in the system need to demand these devices are designed, built, deployed, and managed as securely as they reasonably can be.
Otherwise, no matter how proactive, or how many layers of defense they put into place, or how prepared they are to respond to successful breaches—it’ll never be good enough when defending a poorly built foundation.