{"id":35642,"date":"2020-05-22T10:11:22","date_gmt":"2020-05-22T14:11:22","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=35642"},"modified":"2022-04-11T08:54:55","modified_gmt":"2022-04-11T12:54:55","slug":"smart-healthcare-iot","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/smart-healthcare-iot\/35642\/","title":{"rendered":"Security in smart healthcare must make a fast recovery"},"content":{"rendered":"

Wilhelm Conrad R\u00f6ntgen\u2019s accidental discovery of the X-ray 125 years ago<\/a><\/u> launched a new era of medical breakthroughs. Without the X-ray, we wouldn\u2019t have CT scans and MRIs. Now, the internet of things (IoT,) alongside big data and cloud computing, bring another new age \u2013 one of \u2018smart\u2019 healthcare that drastically improves patient care and operational efficiency.<\/p>\n

These technologies also bring new risks. IoT medical devices connect to each other, to the network and to public internet. Many weren\u2019t designed with cybersecurity in mind from the beginning<\/a><\/u>. What might this mean for protecting patient privacy?<\/p>\n

Poor prognosis for patching and updates<\/h2>\n

Information security veteran and entrepreneur Aviram Jenik believes healthcare faces a perfect storm. He\u2019s co-founder and CEO of US-based Beyond Security<\/a><\/u>, a company that assesses and manages network vulnerability.<\/p>\n

\u201cIoT devices use common web browsing engineers and operating systems. If there\u2019s a security hole one of these platforms, the device is vulnerable,\u201d he says.<\/p>\n

Unlike those common platforms, it\u2019s harder \u2013 sometimes impossible \u2013 to patch devices for vulnerabilities. Medical devices tend to have a life cycle of 15 to 20 years, so it\u2019s more likely they\u2019re running on outdated or unsupported operating systems.<\/p>\n

\u201cJust because the operating system is at the end of life, it doesn\u2019t mean medical manufacturers can swap it out,\u201d says John Gomez, CEO of Sensato<\/a><\/u>, a US company providing cybersecurity for medical devices. \u201cIt\u2019s a quandary for everybody, financially as well as technically.\u201d<\/p>\n

The rise of the internet of medical things<\/h2>\n

The dilemma of weighing the risks vulnerabilities pose against the cost of patching or replacing devices will intensify as the market grows. Healthcare\u2019s adoption of the internet of medical things (IoMT) is in its infancy, but moving fast.<\/p>\n

Healthcare is the third fastest-growing sector for IoT globally<\/a><\/u>, according to market analysis company IDC. Global accounting and audit giant Deloitte forecasts the medical device market will more than triple<\/a><\/u> between 2017 and 2022, reaching a value of 52 billion US dollars.<\/p>\n

A 2019 IBM study found data breaches are most costly in healthcare<\/a><\/u>, averaging nearly 6.5 million US dollars. Healthcare is a constant target, as seen in incidents like Singapore\u2019s health service data breach<\/a><\/u>, affecting 1.5 million patients, or the ransomware attack that disabled IT systems at a French hospital<\/a><\/u>.<\/p>\n

As IoMT matures, and concerns about security grow, manufacturers need to rethink their approach to design. But what happens in the meantime?<\/p>\n

Healthcare\u2019s IT support sparse and jumbled<\/h2>\n

Looking at data from seven years of running projects with hospitals, Sensato found 60 percent of medical devices are at their end of life<\/a><\/u> with no patches available. Just months before Microsoft support for Windows 7, 2008 and Mobile were to expire, security firm Forescout found 71 percent of Windows devices in healthcare used those outdated operating systems<\/a><\/u>.<\/p>\n

The devices, Sensato\u2019s Gomez notes, are only part of the problem. There are few IT staff in most healthcare organizations. A hospital with 6,000 to 7,000 staff may have only one or two IT personnel.<\/p>\n<\/blockquote>\n

\u201cThey\u2019re managing complicated infrastructure with hundreds of servers and applications that communicate with other healthcare organizations,\u201d Gomez says. \u201cThe problem exponentially grows when adding IoT or IoMT devices,\u201d he adds. \u201cIT staff may not even have visibility into them because their management falls to other departments, such as facilities or clinical care.\u201d<\/p>\n

Gomez continues, \u201cYou\u2019re trying to secure an environment where you don\u2019t even know everything because it\u2019s not part of the IT department. It\u2019s a daunting task to lock down the devices.\u201d<\/p>\n

Healthcare data is attractive to cybercriminals. It has a high dark market value. Healthcare organizations may also be more inclined to pay out in ransomware attacks<\/a><\/u> to avoid disrupting patient care.<\/p>\n

\u201cMany healthcare organizations are still struggling to understand the risks. Growing device connectivity makes safeguarding data a bigger challenge. Connected medical devices not visible to IT are still visible to attackers,\u201d says Oleg Gorobets, Kaspersky\u2019s Senior Global Product Marketing Manager.<\/p>\n

Fast-growing awareness, slow improvement<\/h2>\n

A few years ago, there was little conversation outside of the information security community about the risks of connected devices in healthcare. Todd Weber, Chief Technology Officer for security solutions integrator Optiv Security<\/a><\/u>, notes there\u2019s also the mindset among healthcare leaders that hospitals are safe places.<\/p>\n

\u201cHealthcare organizations have more of an open environment, which makes them vulnerable,\u201d Weber says. \u201cIt\u2019s a huge mindset to get over, to understand that hospitals are being purposefully attacked.\u201d<\/p>\n

But awareness of security problems with IoMT is growing. \u201cFor security, we like to say that awareness is 90 percent of the battle, and we have that,\u201d Jenik of Beyond Security says. \u201cEverybody involved wants IoMT to be secure, so there\u2019s no conflict.\u201d<\/p>\n

Regulation may be helping<\/h2>\n

Regulatory agencies around the world \u2013 like the US Food and Drug Administration (FDA) and the China Food and Drug Administration (CFDA) \u2013 have started pushing for better security.<\/p>\n

The FDA publishes security guidelines for manufacturers and issues advisories when vulnerabilities are discovered. This action ripples worldwide because eight of the world\u2019s top ten medical device companies are US-based<\/a><\/u>, and about half their sales go offshore.<\/p>\n

While the FDA guidelines are non-binding, China took a more assertive stance, including mandatory security assessment and registration of networked devices<\/a><\/u>, with fines for those who don\u2019t comply.<\/p>\n

The European Commission brought in sweeping changes in 2020: The Medical Device Regulation (MDR)<\/a><\/u>. As the regulation impacts all manufacturers selling in the European Union, it will have global effects.<\/p>\n

Like many in security, Gomez of Sensato isn\u2019t fond of regulation. But in healthcare, he thinks it could catalyze change. \u201cSecurity in healthcare is behind, so you get a domino effect,\u201d he says. \u201cAt some point, only regulation or something like a terrorist attack will be a wake-up call.\u201d<\/p>\n

Cybersecurity risk taken to heart<\/h2>\n

\"smart
\nAwareness may be growing, but the pace of change in healthcare is slow. \u201cIt\u2019s for good reason because the stakes are different. You\u2019re impacting human lives,\u201d Weber says.<\/p>\n

Potentially vulnerable devices include implantable cardiac defibrillators (ICDs) and pacemakers. These use a wireless communication protocol so physicians can collect data and change therapy. In 2007, US Vice President Dick Cheney had his pacemaker\u2019s wireless communication disabled<\/a><\/u> to avoid attack. Still, in 2016, researchers found a \u201cweak adversary\u201d could reverse-engineer a proprietary protocol used in 10 products with inexpensive, off-the-shelf equipment<\/a><\/u>.<\/p>\n

Attacks on medical devices in the wild<\/h2>\n

So far, cybercriminals haven\u2019t taken advantage of known vulnerabilities in cardiac devices, but security experts think risks will grow as many security holes open new opportunities for attack.<\/p>\n

It\u2019s just a matter of time before we see attacks on medical devices in the wild. Centralized networks of wearable and implanted medical devices will mean a new threat: A single point of entry to attack all patients using these devices.<\/p>\n

Yury Namestnikov<\/strong><\/p>

Kaspersky's Head of Research Center, Russia<\/p><\/cite><\/blockquote>\n

That open environment in hospitals Weber noted means other weaknesses. Medical equipment is not only easily accessible, it often connects to the same network as hospital computers. \u201cEven with a segregated IoMT network, cyberattackers can use one device to get to others,\u201d Kaspersky\u2019s Gorobets adds.<\/p>\n

Is 5G a symptom or treatment?<\/h2>\n

A lot of buzz surrounds the emerging technology 5G<\/a><\/u>, even though it\u2019s a few years away from its full potential. Telecommunications multinational Ericsson forecasts cellular IoT connections will quadruple to five billion by 2025<\/a><\/u>.<\/p>\n

Weber says for security, 5G is another way to attack. \u201cIoT devices will be able to communicate with networks in different ways. With 5G, many become easier to exploit because access is outside corporate governance.\u201d<\/p>\n

But Gomez speculates 5G may improve security. 5G has higher encryption levels because of its greater bandwidth capacity. Some leaders of new hospital projects may decide 5G makes financial sense. They could reduce their wireless infrastructure and use 5G providers for direct cloud access from every device.<\/p>\n

\u201c5G also allows for software-defined networking, where you can put in place a powerful set of tools and lockdowns for the user and access controls based on traffic,\u201d Gomez says.<\/p>\n

The path to hospital-grade IoMT security<\/h2>\n

Beyond Security\u2019s Jenik says after awareness, the next step is to work out how to secure devices. Consumers could also have a voice. \u201cWe should all push manufacturers and healthcare providers to meet security standards,\u201d he says.<\/p>\n

Kaspersky\u2019s Gorobets says healthcare institutions should take immediate action. \u201cImplement better IT practices, like segmenting networks and controlling access, cybersecurity awareness training<\/a><\/u> and using specialized solutions to lock down what can be secured now.\u201d<\/p>\n

Healthcare providers can\u2019t sit and wait for manufacturers to take action. But they can do something now to safeguard patients\u2019 lives in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"

Smart healthcare needs better security to protect patients. A large part of the problem is how hospitals think about IT security.<\/p>\n","protected":false},"author":2568,"featured_media":35643,"template":"","coauthors":[3807],"class_list":{"0":"post-35642","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-enterprise-cybersecurity","7":"emagazine-category-internet-of-things","8":"emagazine-tag-healthcare","9":"emagazine-tag-internet-of-things","10":"emagazine-tag-safety-technologies"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/smart-healthcare-iot\/35642\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/smart-healthcare-iot\/22410\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/smart-healthcare-iot\/20539\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/35642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2568"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/35643"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=35642"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=35642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}