Manage Learn to apply best practices and optimize your operations.

When an attack means murder: The IoT healthcare security vulnerability

If healthcare security was an emergency before IoT, thanks to privacy risks and other threats, the emergence of connected devices pushes this to a potential crisis.

But before we panic and start throwing money against the problem quickly and mindlessly, which is a normal reaction to existential risks, let’s first understand some of the frameworks that are operating.

First, we need to keep in mind that advanced attack campaign patterns essentially behave the same across industries: There are similar intents behind attacks, and the same tactics and techniques to execute these intents.

A hacker can be a murderer

Goals and methods are typically agnostic to industry, from healthcare to banking to intelligence. Attackers always want the same things: to steal information, manipulate data, disrupt service with DoS attacks and use ransom to achieve their ends. But while in other industries the risks are financial and reputational, when it comes to health services and IoT connected devices, human lives are at stake. A hacker can be a murderer.

And as healthcare gets more sophisticated, the risks intensify. Take AI, for example. AI and machine learning have already entered the practice of medicine, as they automate some basic medical decision processes. Hackers are well aware of this, which frames attack intent as “medical decision manipulation.” In other words, imagine an attack that manipulates the training data of AI modules, providing fake inputs to the system that will eventually result in a wrong medical decision. A hacker can change the inputs into the algorithm — falsifying blood tests, for example — and the “computerized medical advisor” could prescribe medication that can harm or even kill the patient. This is a terrifying notion.

These AI systems need to be supervised by heuristics, expert systems and rules (medical expert rules), which provide some level of control and flag suspicious activities which may represent malicious AI behavior.

Again, remember that actors behind attacks in the healthcare industry are no different than in other industries. Insiders, nation-wide actors, criminal organizations … they are all possible murderers, each their own motivation and intent.

Remember also that the industry is fragmented, increasing the risk. Healthcare IoT devices, like pacemakers, implantable glucose monitoring devices and blood pressure monitoring tools are part of a complex IT ecosystem which presents a wide threat surface for attackers to exploit. These devices rely on communication between various databases, storage and control stations across different networks, and are operated by different people with different levels of trust and cybersecurity knowledge, including in the patient’s home, hospitals, clouds and so on.

These complex inter-relationships make each com, and the entire system, more vulnerable. This was evident in the spring 2017 attack on the healthcare system in the UK, which essentially forced a full system to shut down. Operations were cancelled, ambulances were diverted and documents, such as patient records, were made unavailable in England and Scotland.

A frozen system creates havoc; attackers cherish that pain, and they will always use this complexity to their own advantage!

Healthcare ecosystem: Heal thyself

Because patterns are heuristic, we know that advanced IoT cyberattacks are multistage and multivector, reaching the various related components in different network locations. As a result, they require a security ecosystem that:

  1. Effectively detects suspicious moves
  2. Conducts investigative actions to validate intent
  3. Automates prevention or mitigation actions

These three steps are massively complex. This security architecture must learn how to receive signals from various devices, servers and services in the patient’s home, hospitals and clouds — and then centrally analyze them in near real time, while also “connecting the dots” to reveal possible malicious intent. Only after that can accurate prevention measures be activated.

In order to be proactive, this ecosystem needs to be collaborative at the core. Once a new advanced attack campaign is recognized and analyzed, the appropriate defense strategy should be shared and implemented in various environments (including other hospitals). These don’t necessarily have the same security tools, and most likely are not operated by the same security vendors. Therefore, sharing defense models requires a new level of “defense strategies translators” so they can be quickly and well adapted into any relevant environment.

Solving these issues requires a global effort that defines healthcare as “critical infrastructure” and implements security technologies that include advanced security analytics, and orchestration and automation capabilities. These new systems are being called the next-generation security information and event management, or SIEM 3.

Decades ago, hacking emerged as a nuisance — call it Hacking 1.0. Then it became more sophisticated and advanced targeted attacks turned into Hacking 2.0. The world of IoT, especially in healthcare, creates Hacking 3.0. In a short time we’ve gone from nuisance to possible murder. We are vulnerable, but we don’t have to be victims.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.