There is no doubt that we have moved into the growth stage of the internet of things, as devices, things and connected services have very much become a part of the consumer/commercial conversation. Today — driven by the success of Google Home, Alexa, Nest and other systems — IoT-related devices are now something you can purchase at Best Buy, Bed, Bath & Beyond or the U.K.’s John Lewis.
Today’s devices, services and underlying machine learning and artificial intelligence are very much pushing the envelope on what is possible with connected cars, the smart home and wearable technology. However, one of the main threats to the success of the IoT phenomenon is the potential lack of security and privacy protection — and the lack of knowledge around these issues. Do end users, device manufacturers and cloud service providers understand that the data they handle could be at risk of theft, misuse or manipulation? The answer apparently is no.
A security study published earlier this spring documented several cases of poor security, especially relating to pacemakers. The report highlighted a situation where vulnerabilities could be exploited in order to send malicious commands to the pacemaker directly, or intercept and alter data being sent from it. Here was a direct and clear example of multiple stakeholders in a healthcare IoT ecosystem not understanding the risks at hand. Indeed, one could go as far as saying the situation was a life-or-death case in point for the need for improved IoT safeguards and privacy control.
Healthcare IoT has outpaced cybersecurity planning
How did it come about that healthcare IoT was developed with many glaring security weaknesses, which is even more glaring in light of the fact there are 15 million installed healthcare IoT devices in the U.S. alone? As with many IoT devices, security is often seen as an inhibitor to application and services development, with security and privacy practices evolving as “bolt on” features, long after the device ecosystem was designed. This is both costly and dangerous.
In an effective healthcare IoT development ecosystem, devices themselves, along with the services, cloud infrastructure and applications they interact with, need to have clear infosec, identity and privacy controls embedded from the beginning. To achieve this, full data lifecycle analysis needs to be completed, along with the correct level of risk mitigation and protection. Where there are transaction points or areas that require protection, here is where developers need to find ways to upgrade privacy controls or security measures; it’s essential to maintain the confidentiality, availability and integrity of any data, function or service for which the healthcare device is responsible.
If we analyze the specific pacemaker case above, what exactly did the study find? First word of these vulnerabilities came via cybersecurity notices from the U.S. Food & Drug Administration in January 2017: “Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication.” This report detailed that vulnerabilities were not with the pacemaker device itself, but with the in-home transmitter used to monitor the devices and share data with doctors and caregivers. These transmitters collect data from the pacemaker and upload it to a private cloud where clinicians can monitor heart activity. The vulnerability? That the transmitter can also send signals and commands to the pacemaker, potentially enabling a bad actor to disable the device. Further study shows that the pacemaker/transmitter systems are vulnerable to programming hacks as well. The USDA report offers a clear example of where the entire device ecosystem needs to be analyzed to identify data entry and exit points, device and user identity and access management requirements, as well as how the device itself is managed. For example, how are vulnerabilities patched or firmware updated?
An ounce of prevention: Steps in defending healthcare IoT
Given the vulnerabilities exposed in the pacemaker report, what would be a logical path toward securing critical medical devices and systems?
- Admit the dangers. As a first step, device makers and healthcare providers together need to commit themselves to taking action, as another report proves how organizational preparedness for dealing with these threats is lacking. ISACA’s “State of Cyber Security 2017” report cited the fact that healthcare ransomware attacks are on the rise, with 62% of respondents indicating they’d experienced ransomware in 2016, but only 53% had any kind of formal process in place for dealing with it. Indeed, many of the device and cloud vulnerabilities that came to light during last year’s Dyn DDOS attack are likely to remain unresolved years into the future.
- Improve awareness and training. Both at the executive level and in cybersecurity departments, there’s a constant need for training. The bad guys and black hats thrive on innovation, so investments in focus, time and money must happen to keep up. The ISACA report found that the huge majority of cybersecurity professionals are allotting $2,500 or less per year for ongoing training, with one in four receiving less than $1,000. Considering the risks involved in healthcare IoT security, these are scarily inadequate budgets.
- Act cooperatively. By joining with other providers in setting the best practices and benchmarks for secure IoT adoption, device makers and healthcare providers can be on the same page in addressing security concerns. Sharing updates and responses to security threats, whether via forums or distributed alerts to cybersecurity experts working within these organizations, can help preempt problems before they become disasters. It’s an effective model being followed by cybersecurity entities in other industries, most notably financial services, and the FDA has made clear recommendations about how to implement it for healthcare IoT. The National Health Information Sharing and Analysis Center (NH-ISAC) is a prototypical example of just such a trusted community.
- Move beyond existing infrastructures. Even healthcare providers and organizations with cybersecurity systems in place that have been “good enough” to date are courting catastrophe. Older IT and security infrastructures lack transparency, are fragmented and siloed, inflexible and incapable of scaling. The very nature of IoT, however, demands agility and scalability from cybersecurity measures, and legacy systems limit a provider’s ability to respond to these new requirements.
- Adopt unified, scalable, future-proofed identity verification systems. Centrally managed identity platforms with state-of-the-art encryption and other safeguards already exist, and can scale to manage millions of patients, doctors, providers and healthcare professionals and the IoT devices they use, as well as other services and equipment. Such systems can register people and devices, link them together, authorize and de-authorize their access to data, guard against attacks, and apply policies on security and privacy practices and personalization. This way, high-level authentication, data security and cybersecurity are bolstered through an integrated ecosystem that’s also able to support the new technologies continually evolving in tandem with IoT.
In an age when hackers are frighteningly intent on disrupting or manipulating everything from the electoral process to power grids, healthcare IoT is too ripe a target for them to ignore. Which is why proactive planning, rather than passivity or reactivity, is the key to fending them off and protecting patients and providers alike.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.