Opinion: IoT - A world of hurt for healthcare, maybe
Not a day seems to go by when IoT doesn’t hit the security headlines as a terrible source of vulnerabilities waiting to be targeted and exploited. In fact, only recently did the FDA issue advisory warnings about a whole suite of vulnerabilities in IoT devices that could affect everything from neonatal incubators through to anaesthesia machines. These were dubbed “The Urgent 11”, which for some reason seems like it should be the title of a Quentin Tarantino movie, but I digress.
The fact of the matter is the state of IoT is acknowledged as being woeful from a security perspective. As attackers start to focus even more on healthcare, the vulnerabilities to exploit this will be bountiful. Here’s the problem though. All this fear isn’t necessarily reflecting the actual risks that clinicians, IT leaders and hospital management need to be concerned with. Just because a vulnerability exists doesn’t mean a medical device will become a prime target.
In my experience, attackers, whether for financial or purely disruptive purposes, are not interested in harming patients in precise targeted attacks. Yes, a vulnerable pacemaker could be used to harm an individual, but this is very specific blackmail or, some would say, an assassination attempt, and I think that should stay in the realm of the movies for the most part.
What attackers actually want to achieve is scale.
They want to exploit vulnerabilities that give them total network access over as many institutions as possible whether that’s to initiate ransomware attacks, threaten to tamper with computing resources or simply steal as much data as they can without getting caught. The wayward pacemaker or insulin pump does not come up specifically in these scenarios unless it’s a way to actually achieve one of these goals. In reality, it’s the legacy routers, servers, printers and appliances that are a greater IoT risk here when it comes to causing clinical harm and organisational disruption at scale.
However, the problem is that attackers don’t necessarily understand the impact of their attacks either. Medical devices, because of their vulnerabilities and the dependency of their clinical workflows on interactions with multiple additional end-points, could be impacted indirectly causing all sorts of chaos delaying clinical care and causing patient safety issues. That’s why it’s still unacceptable that many medical device IoT manufacturers do not have clear incident response and vulnerability patching support plans for hospitals to act on.
The solution to this has to be a stronger shift in regulations to ensure that medical IoT suppliers have clearer processes for addressing these risks in a timely manner. More importantly though is the need to start looking at risk not from a generic technical perspective, but rather from a clinical and organisational impact perspective.
Dr Abed, medical doctor and healthcare cybersecurity/ national security expert, is currently the CEO of Boston-based cybersecurity analytics company Clinical Cyber Defense Systems. He is also an independent healthcare and security expert for the European Commission's Horizon 2020 programme, the World Health Organisation's Digital Health Technical Advisory Group and the UK Government’s Infrastructure and Projects Authority.
Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.