The rush to adopt IoT devices in consumer and business markets is well documented, but the scale of uptake comes at a cost: the increased risk of cyber attack. More connected devices and the absence of end-to-end cyber vigilance (from both manufacturers and users) means more opportunities for bad actors. As a case in point, the DDoS attack that downed Dyn (and much of the US internet traffic) in 2016 was caused by IoT devices infected by the Mirai botnet.
A 2017 survey found 48% of firms had experienced at least one IoT security breach, and by 2020 it's estimated a quarter of cyberattacks will target IoT devices.
IoT also has a firm foothold in the healthcare market, where it’s often referred to as The Internet of Medical Things. Connected devices are used to support clinical operations, medication management, remote healthcare, as well as on-patient or in-patient monitoring and diagnostics. Spend on IoMT and related services amounted to $56 billion in 2017, and there are now some 400 million connected medical devices in use.
Despite the benefits, IoMT gives hospitals a serious cybersecurity headache and for good reason. Networked devices create a backdoor to clinical IT networks, which, if not kept firmly shut, could let cybercriminals in. The consequences of an insecure or compromised network can, literally, be fatal.
IoMT Is Different from IoT and So Are the Security Implications
Hospitals are particularly sensitive to the possibility of a breach because of the ruinous impact on their reputation as well as the threat of regulatory fines. While it might be intuitive to think that the same security controls used to protect general IoT devices can secure IoMT environments, that would be a big mistake. The threat landscape and the malicious motives that dot it are vastly different for the Internet of Medical Things. As a result, a different, more tailored approach is needed for hospitals to safely navigate and clear a path through their unique mine fields.
IoMT applications and devices digitally capture and relay medical data from the physical world in order to assist with diagnostics, treatment plans, or streamline clerical workflows.
Breaching the network that carries these data relays gives criminals several opportunities for financial gain. To list just a few:
- They can outright sell the information they’ve plundered on the dark web for great profit.
- They can use the threat of publicly releasing private information to extort individuals and/or hospitals.
- They could hold critical infrastructure and assets digitally hostage, demanding ransom payments in order to restore usability.
- They can connect some of the data dots to steal identities and commit credit fraud.
- They can abuse PCI to plunder bank accounts or launder cash.
Lack of Visibility Is a Key Problem Area
Better healthcare IoT security boils down to having better knowledge to inform better decisions.
However, for most hospitals and clinical networks, it's a struggle to get the operational visibility and insight on which the knowledge is predicated. Unlike other critical IT assets, connected medical devices are hardly visible in native IT control systems. This puts IoT security solutions built for non-healthcare environments at a profound disadvantage.
This lack of visibility results from several related factors.
Even a mid-sized hospital could have thousands of connected medical devices, and many hospital managers don’t have an up-to-date inventory of how many devices are being used, where they’re located, and which staff are authorized to use them. But without this information there’s little chance of implementing robust cybersecurity measures.
Older machines are often assumed not to be networked, but many are. These machines, sometimes as much as 20 years old, typically run woefully outdated operating systems, have almost no built-in security measures, are hugely vulnerable, and fail to appear on the radars of IoT security scanners.
And while some security products do a reasonable job in tracking network endpoints, most provide wholly inadequate contextual information about their use, traffic flows or operational status — leaving system administrators struggling to make sense of the information they’re given.
Even if all the devices are successfully located, without a live inventory map providing simultaneously granular and panoramic visibility, it will be difficult to identify and oversee the configuration and calibration adjustments required for proper device functioning. Of course, the same is true for patching and servicing needs. Misconfigurations and mis-calibrations can hide in plain sight, undetected and uncorrected for years. This happens easily when manually setting VLAN configurations and security rules at scale.
Without an automated, AI-enabled review of security policies, device groupings, control configurations, and device-specific best practices, finding and fixing mistakes or optimizing utilization and maintenance would be like finding a few needles in a field full of haystacks.
Unrecognized or Misunderstood Communication Protocols
The medical device industry isn’t a single vendor, single product marketplace. Each manufacturer and device may have its own proprietary communication protocol with its own security implications that, if not properly understood, could lead to vulnerabilities. These unique characteristics are not normally recognized by traditional cybersecurity solutions — presenting an insurmountable obstacle to protection.
Additionally, achieving the required interoperability between different device types might require improvised workarounds, opening the door to even more threats.
Complexities with Patchwork IT Infrastructures
Hospitals are seldom contained within a single building built at once. Normally, they exist within a campus hosting a complex of disjointed and interconnecting facilities, built wing by wing, that sprawl out over many years. The technology that a facility was built and outfitted with in 1990 is very different from the technological standards of 2010. And while modernization efforts are continuous, organization-wide technological and infrastructural homogeneity will never exist. There is a need therefore, at least to some extent and for some period of time, to entangle and plug these disparate systems and technologies into each other.
This is not just the case for a medical center’s plumbing, HVAC, and electrical needs, but for its IT and clinical assets as well. Medical devices, for example, may live in environments governed by different systems, technologies, and infrastructural backbones that don’t necessarily “play by the same rules”. Despite this incongruity, these devices — regardless of their own software versions and security patches — are all bridged into the same network.
Just because interoperability is achieved between the different parts of this patchwork, does not mean that intersecurability follows. When bootstrap, workaround, or duct tape solutions are used, it very likely comes at the expense of security (even if not directly apparent in the immediate ecosystem in which those solutions are applied). And since vulnerability anywhere in the network means vulnerability everywhere in the network, patchwork IT configurations become a real mess to maintain and secure without keen visibility and insight capabilities.
Purpose-Specific Solutions & Effective Healthcare IoT Security
There are relatively few after-market security solutions targeted specifically at hospitals, which underlines the challenges in addressing their unique security considerations.
Medical devices speak languages and dialects that general security solutions won’t likely understand.
Medical devices use a combination of open source and proprietary communication protocols, many of which are unique to the healthcare industry. With an intelligence engine designed from the bottom up for healthcare, you can build a base of reference for the custom communication protocols leveraged by medical technologies. That protocol level fluency serves as a key of sorts to unlock the bounty of data accompanying your network endpoint through all their digital interactions. It is the first and most critical step needed to deliver context awareness for the workflows running through your network.
The IoMT apple has fallen far from the IoT tree.
There are different motives affecting healthcare — such as ePHI and PCI theft or industrial-scale ransomware — that don’t play into other IoT arenas. These motives invite different players, with different interests, different methods, and a different toolset. The basic objectives for good IoT and IoMT cybersecurity may be the same, but differences abound in the strategies and tactics that advance them. The field of play is entirely different. You don’t bring cleats to a basketball court expecting them to help you play lock-down defense, and you shouldn’t bring a general IoT security solutions to a hospital expecting them to secure your infusion pumps!
Since IoMT ecosystems function differently than general IoT ecosystems, they’re subject to different healthy and potentially problematic network behavior patterns. Most security solutions boil down to pattern tracking and recognition technology. But if you’re looking for a normal IoT network behavior pattern in an IoMT environment, you’re likely to miss the boat. Even more concerning, if you’re looking for abnormal IoT network behavior patterns in an IoMT environment, you may altogether fail to recognize threats.
Do not mistake strength for smarts.
A lot of general IoT security tools introduce valuable controls to your IT ecosystem. But almost by definition, a cybersecurity solution built for any old IoT environment will lack the necessary intelligence to empower and protect a healthcare operation.
For example, firewalls, SIEMs and NACs do a great job of enforcing well-defined security policies through what are essentially on-off switches distributed throughout your network. But these tools are ill-disposed to provide the insights needed to build smart rules and refine security policies for your specific needs. In a generic IoT environment, generalized standards and universally maintained blacklists can go a long way to hiding these limitations. But there is nothing generic about a connected healthcare environment, and decent security demands context-aware intelligence to match its controls.
When it comes to these sorts of tools, they’re most useful when paired and integrated with purpose-specific IoMT intelligence engines.
Healthcare-specific attention and expertise is required to get out ahead of the threat.
Deep knowledge is needed to find hidden problems. Some medical device vulnerabilities can go undetected for years until they’re uncovered by a technician or researcher armed with abundant knowledge and experience. If you can’t deliver that type of expertise and focus from your staff, you’ll want to outsource it — and it won’t be available from providers of general IoT security solutions.
What’s more, the process for publicly disclosing a vulnerability once discovered is somewhat tedious and can take a while. That means that if your internal IT security team or your healthcare cybersecurity solution provider is not behind the discovery, you’ll be left exposed to the vulnerability even longer. On the flip side, if your solution provider has a team of researchers devoted to the task of sniffing out medical device vulnerabilities, you can rest assured knowing that your facility will be fully protected against threats long before others even know that they exist.
Such researchers are also essential to the process of reverse engineering and “unlocking” new or new versions of proprietary communications protocols that are so essential to meaningfully understanding what’s going on in your network.
Thinking Beyond Standard IoT Security Solutions
The world of healthcare is not the same as the world of retail. Nor is it the same as the world of manufacturing, or any other IoT realm for that matter. The Internet of Medical Things has its own unique cares and considerations and different threat actors shaping its attack surface. ePHI, for example, doesn’t exist in other sectors, and other IoT ecosystems don’t typically process payment information in the same networks that run their critical assets. These are just some of the highly consequential differences that, along with IoMT’s unique communication protocols, set the needs of healthcare IoT security apart.
As hackers become more experienced and more focused, healthcare providers need to stay one step ahead with a cybersecurity solution tailored to their specific ecosystem. General IoT security solutions, developed to protect IoT devices across a wide-range of industries, simply cannot address the unique security landscape in which hospitals operate.
Only an intelligent, purpose-built solution, combining original research, machine learning, deep medical device knowledge, and context-aware, automatable segmentation auditing can map your network, assess your risks, detect active threats, recommend remedies, and prevent attack scenarios.