Manage Learn to apply best practices and optimize your operations.

When an attack means murder: The IoT healthcare security vulnerability

If healthcare security was an emergency before IoT, thanks to privacy risks and other threats, the emergence of connected devices pushes this to a potential crisis.

But before we panic and start throwing money against the problem quickly and mindlessly, which is a normal reaction to existential risks, let’s first understand some of the frameworks that are operating.

First, we need to keep in mind that advanced attack campaign patterns essentially behave the same across industries: There are similar intents behind attacks, and the same tactics and techniques to execute these intents.

A hacker can be a murderer

Goals and methods are typically agnostic to industry, from healthcare to banking to intelligence. Attackers always want the same things: to steal information, manipulate data, disrupt service with DoS attacks and use ransom to achieve their ends. But while in other industries the risks are financial and reputational, when it comes to health services and IoT connected devices, human lives are at stake. A hacker can be a murderer.

And as healthcare gets more sophisticated, the risks intensify. Take AI, for example. AI and machine learning have already entered the practice of medicine, as they automate some basic medical decision processes. Hackers are well aware of this, which frames attack intent as “medical decision manipulation.” In other words, imagine an attack that manipulates the training data of AI modules, providing fake inputs to the system that will eventually result in a wrong medical decision. A hacker can change the inputs into the algorithm — falsifying blood tests, for example — and the “computerized medical advisor” could prescribe medication that can harm or even kill the patient. This is a terrifying notion.

These AI systems need to be supervised by heuristics, expert systems and rules (medical expert rules), which provide some level of control and flag suspicious activities which may represent malicious AI behavior.

Again, remember that actors behind attacks in the healthcare industry are no different than in other industries. Insiders, nation-wide actors, criminal organizations … they are all possible murderers, each their own motivation and intent.

Remember also that the industry is fragmented, increasing the risk. Healthcare IoT devices, like pacemakers, implantable glucose monitoring devices and blood pressure monitoring tools are part of a complex IT ecosystem which presents a wide threat surface for attackers to exploit. These devices rely on communication between various databases, storage and control stations across different networks, and are operated by different people with different levels of trust and cybersecurity knowledge, including in the patient’s home, hospitals, clouds and so on.

These complex inter-relationships make each com, and the entire system, more vulnerable. This was evident in the spring 2017 attack on the healthcare system in the UK, which essentially forced a full system to shut down. Operations were cancelled, ambulances were diverted and documents, such as patient records, were made unavailable in England and Scotland.

A frozen system creates havoc; attackers cherish that pain, and they will always use this complexity to their own advantage!

Healthcare ecosystem: Heal thyself

Because patterns are heuristic, we know that advanced IoT cyberattacks are multistage and multivector, reaching the various related components in different network locations. As a result, they require a security ecosystem that:

  1. Effectively detects suspicious moves
  2. Conducts investigative actions to validate intent
  3. Automates prevention or mitigation actions

These three steps are massively complex. This security architecture must learn how to receive signals from various devices, servers and services in the patient’s home, hospitals and clouds — and then centrally analyze them in near real time, while also “connecting the dots” to reveal possible malicious intent. Only after that can accurate prevention measures be activated.

In order to be proactive, this ecosystem needs to be collaborative at the core. Once a new advanced attack campaign is recognized and analyzed, the appropriate defense strategy should be shared and implemented in various environments (including other hospitals). These don’t necessarily have the same security tools, and most likely are not operated by the same security vendors. Therefore, sharing defense models requires a new level of “defense strategies translators” so they can be quickly and well adapted into any relevant environment.

Solving these issues requires a global effort that defines healthcare as “critical infrastructure” and implements security technologies that include advanced security analytics, and orchestration and automation capabilities. These new systems are being called the next-generation security information and event management, or SIEM 3.

Decades ago, hacking emerged as a nuisance — call it Hacking 1.0. Then it became more sophisticated and advanced targeted attacks turned into Hacking 2.0. The world of IoT, especially in healthcare, creates Hacking 3.0. In a short time we’ve gone from nuisance to possible murder. We are vulnerable, but we don’t have to be victims.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What keeps you in your job?
Money is not everything. I like a challenge and flexible schedule. I also work with a great bunch of co-workers in an open office setting and we are always helping each other out. We also do a few thing together outside of the office like golf and mountain biking.

At the beginning of your career, money is important and you have to make enough to at least pay the bills. I think people like challenge and change and it is not only challenging work.   if you work with a great team, the members will push and challenge you to learn, grow and stretch.  The challenge from the dynamics of a great team is motivating and full filling. 

There are several factors - having a boss who gives me the liberty to work on what I deem most important, the challenges that I get to work on and the colleagues I get to work with, the benefits and pay are good, and I love the location (close to 5 impoundments, the Great Smoky Mountains National Park, and numerous state parks.
Almost forgot the creativity aspect. I have worked place where it's push out code as fast as possible to meet deadlines. It may not have been the best solution but the job got done.. Now move on... My new position allows a lot more creativity and freedom to shine. Now that a lot of the stuff I work on is for the web we get to show off a bit.
In a word, variety. The vast collection of assignments I have - and have had - over the past 23 years serve to enlighten and energize me. Having control over my schedule is key. Working on creative projects keeps me coming back for more day after day. Perhaps the real key is doing something you're good at and something you love.
This will always be a task for leadership and management to consider.  And the reason is that everyone is different.  What motivates one person may not motivate the next.  But that is why managers are in the role they have.  Because the people aspect and being able to understand what specifically motivates your team is one of the most important qualities of the role.

The one thing that we all must be aware of is the fact that there is no golden ticket here, no silver bullet that solves all of the problems.  Being in a management role requires us to know the specific situation that we have within our team, and knowing what the team sees as the driving force that gets them out of bed every morning and makes them happy to come to work.

With that said, there are obvious core needs that everyone would seem to have.  While money, recognition, special perks (e.g. time off, special days out of work, dress down days, additional vacations or holidays, etc), it would seem likely that each and every person in the workforce wants to feel appreciated for what they do.  Nothing will kill a person's demeanor and self respect like a boss that doesn't make them feel like they are working on something important to the organization, and nothing will kill a person's self respect more than coming to work every day and not being sure if your boss even knows (or cares) what you are doing.

So there are surely more motivating aspects of the job than just money and physical takeaways from the role.  If we want to grow an organization, we need to ensure that the teams know exactly what is expected of them, exactly how they are doing to meet those goals for which they are responsible for assisting, and exactly what they are doing well (and not well) along this journey.
That's a very interesting question for me to answer!
I'm self-employed testing consultant and contractor.

I like my occupation because testing is a thinking challenge and a learning journey. I like accomplishing projects and taking on new ones. Though I also had to learn to be a "firefighter" and jump right into the troubles by the client's request.

There were hard and stressful contracts I still really enjoyed because there were a great team, real impact, or both.
I would also add a sense of solving a problem and making a difference.
Having a boss that understands about real life and issues. A while back I fell and broke my foot in 2 places. I had to stay of it for a while and keep it elevated. Instead of going on disability at work, they got me a laptop with a VPN so I could work from home at my leisure. When other things have come up in life, he's like "No problem do you need just a day?" . By him acting like a human as opposed to some other bosses I have had. I'm willing to put in extra effort and take on more responsibility.
First and foremost is the people I work with. When I respect the people I wrk with, when I enjoy working with them, when I look forward to coming in to work specifically because I look forward to that interaction, that's a great feeling. That's not to say that we are all necessarily pals or share the same interests across the board (not even close ;) ), but a sense of camaraderie helps tremendously.

Second is interesting technical challenges and a chance to solve authentic problems. As a software tester, I enjoy when I find something important, or figure out a way to do something that saves time but still provides important information to the stakeholders and customers.

Third is the chance to stretch beyond my comfort zone, and discover talents and skills I never knew I had, and again , working with people that encourage that discovery and help you reach new goals.

Of course, all of this would be moot if I was not earning enough to pay for the things that are important to me (such as upkeep for a home, caring for a spouse and children, saving for children's education and our eventual retirement, and the ever important making sure we can pay for food, clothing, utilities and various creature comforts where we can). With all that, I don't necessarily look to a higher salary as a first incentive. If all of the above are met, and I'm offered a higher paying gig, sure, I'll consider a transition, but I'm much less likely to consider it if the money is the only thing. 
I agree with Michael, co-workers can make a big difference. Everyone can have an off day. Blow off some steam at you desk. What makes things bad is when that co-worker runs to the boss. That can break trust issues and keep you looking over your shoulder instead of staying focused on your work.
I stay where I'm working because the jobs are exciting, because I get strong support from those around me, because I have ready access to the smartest people in the room.

Agree with Todd and Michael that without trust and mutual respect with co-workers and manager,  it is not a nice work environment.

Recently I changed my job and transferred to a telecommunication company because they have thousands of opportunities to motive what I want to challenge in the next few years .
Balance between good co-workers and fair pay