GAO warns of security flaws in IoT, medical devices

In the wake of the WannaCry, the Government Accountability Office is trying to bring the industry up-to-speed on the growing threats to devices.
By Jessica Davis
02:25 PM
security flaws in IoT

While most of the U.S. healthcare system was left untouched by the WannaCry ransomware attack that rocked the U.K National Health Service, it highlighted the major vulnerabilities in outdated hospital systems: medical devices.

A recent Government Accountability Office IoT technology assessment reiterated similar flaws. Both private and public sectors are inconsistent in IoT adoption, which leaves steadily growing technology highly susceptible to attack.

In just 2016 alone, hundreds of thousands of poor-secured IoT devices were hacked and leveraged to disrupt major portions of the internet.

[Also: Hospitals can make medical devices up to 70% safer, Mayo exec says]

Medical devices pose some of the biggest risks, as most lack even the most basic security measures. And implantable medical devices don’t have any security at all.

“Without proper safeguards, these systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks,” the report authors wrote.

Hackers can use malware to compromise the device to steal patient data and use it as a platform to gain access to an entire network. The report also found cybercriminals can also monitor and record data -- without detection.

[Also: WannaCry highlights worst nightmare in medical device security]

One expert explained how a hacker can pull data from multiple devices to create an entire makeup of a person. These devices collect intimate data of the user, which exacerbates the concern.

Further, although most of the healthcare industry and its patients view the tools as an easy way to communicate and track health, it poses new privacy issues.

There are still many gray areas on the ways in which a company can collect, maintain and share data for business purposes, the report found. While there are many proposed methods to combat this, these are just theories.

[Also: Wannacry timeline: How it happened and the industry response to ransomware attack]

For example, the report examined de-identifying the data to protect the unique identity of the user. But experts are concerned that the existing methods may not prevent future identification. So for the time being, de-identifying data is not a realistic possibility.

“With the rapid global expansion of IoT, security and privacy measures become increasingly important to curtail its misuse,” the authors wrote. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified.”

The assessment is based on Federal Trade Commission feedback and input from researchers and industry groups. A draft of the assessment was provided to 10 federal agencies for review, including the National Science Foundation, Office of Science and Technology and Home Security.

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn