By Steeve Huin, vice president of strategic partnerships, business development and marketing, Irdeto.
The Internet of Things (IoT) market is booming, with IHS Markit forecasting there will be 73 billion connected devices in use around the world by 2025. IoT technology has moved beyond speakers and smart fridges and is increasingly being utilized for critical applications across the healthcare industry, such as pacemakers, insulin and infusion pumps and medical imaging systems.
This Internet of Medical Things (IoMT) is subsequently opening up a new world of possibilities to improve upon patient care, while also improving operational productivity and effectiveness. However, as the proliferation of connected and complex medical devices grows, healthcare providers are more susceptible to cyberattacks.
The key challenge is that cyber criminals often operate as businesses themselves and will focus on targets that will provide the greatest return on their hacking investment. Therefore, as the healthcare sector becomes increasingly connected, we could see an extremely costly impact of IoT-focused cyberattacks, if security is not prioritized. Insecure devices, and potentially companion apps, present a variety of risks to safety and privacy in a critical industry such as healthcare.
The IoMT Threat Landscape
Unfortunately, cyberattacks are already an all too common reality for many organizations in the healthcare space. A recent survey by Irdeto of security decision makers in the healthcare, transport and manufacturing sectors, found that 82% of healthcare organizations have experienced an IoT-focused cyberattack in the past year, with 30% of attacks resulting in compromised end-user safety.
IoT devices are often targeted by cybercriminals as they are much easier to compromise than businesses’ more sophisticated perimeter cyber defenses. The problem is that growth in the use of IoT has far outstripped the increase in trained professionals emerging. As a result, healthcare organizations often don’t have the expertise internally to ensure the connected devices they are using within their organizations are secure.
The research also emphasized this point, revealing that only 6% of healthcare organizations have everything they need to tackle IoT cybersecurity challenges, with an urgent requirement for increased skills and more budget for security identified. In addition, the research found that 98% of respondents in healthcare organizations believe the cybersecurity of IoT devices could be improved and one in four manufacturers of IoT devices for healthcare only update the security of devices they manufacture while they are in warranty.
These alarming findings, combined with reported cyber incidents to critical connected devices in the last few years, make for worrying reading. For example, in the last two years we have seen pacemakers recalled to install a critical patch to update firmware against cybersecurity issues, as well as cybersecurity warnings for insulin pumps from the FDA and Health Canada.
In addition, in October 2019, the FDA and Department of Homeland Security issued a critical warning called “Urgent 11” to inform patients and medical device manufacturers about 11 critical vulnerabilities of some popular operating systems being used in the medical devices of major medical technology companies. These events demonstrate that global care providers must continue to evolve their security approach to ensure the security of care facilities, medical devices and the safety of patients.
Securing the IoMT
The key issue is that many of the industries experiencing a connectivity boom never expected the IoT to apply to them. As a result, these industries have historically not been prepared to tackle the security problem that accompanies connectivity. This isn’t to say that organizations aren’t doing their part to implement cybersecurity technology and strategies. However, the integration of a wide range of devices that may or may not be secure, coupled with evolving regulations and requirements to address cybersecurity challenges, has created an extremely confusing security landscape to navigate, which organizations in the healthcare sector must urgently address.
The research did also find however, that almost all (rounded to 100%) of the healthcare respondents agreed that a security solution should be an enabler of new business models, not just a cost. This suggests that attitudes towards IoT security are changing for the better as IoT devices proliferate throughout the sector.
In addition, the 2018 FDA cybersecurity guideline draft put forward a new category for devices, Tier 1 and Tier 2, based on their connectivity and the scale of the harm they potentiate to carry if seized. Based on that, 510K for Tier 1 devices should demonstrate documentation that the design and risk assessment activities precisely followed the FDA requirements. Other than this, it recommends a framework similar to NIST, proposes new labeling instructions and requests companies to share a cybersecurity bill of materials with customers. To follow these guidelines and secure the IoMT, the healthcare space must first look to implement end-to-end threat monitoring of patients, devices and networks.
They must then implement a multi-layer, defense-in-depth approach to protect patient and care providers’ data and the integrity of medical devices and applications as securing each and every potential ‘entry point’ is critical to ensure the integrity of the network and that data and people are safeguarded.
The bottom line is that IoT-focused cyberattacks will continue to be prevalent as use of IoT devices grows. However, as they are increasingly used in mission-critical scenarios in industries like healthcare, the impact of operational downtime and compromises to end-user safety become far greater than just a financial cost. Manufacturers have a greater responsibility when dealing with potentially critical IoT in healthcare, and thus need to move away from the traditional “build, ship and forget” mindset and incorporate multiple layers of security into the devices they manufacture. But healthcare organizations cannot rely on this and must also adopt a more strategic approach to cybersecurity.