Black Hat 2017: Securing the Internet of Things

As the medical industry becomes more technologically decentralized by innovations such as mobile devices, hospital equipment that runs on IP protocols, and sensors in almost everything, keeping healthcare secure is becoming a more complex task.

The growing evolution of this so-called “Internet of Things” in enterprises was a hot topic at the recent Black Hat conference in Las Vegas. Presenters and attendees described this new age of IoT as one in which corporate users can stay connected and more easily track patients, medications, and developing situations—and also one in which criminals will have more, potentially less-secure areas of access to healthcare organizations.

A recent study by the Ponemon Institute found that while 67% of medical device makers say they anticipate their devices will be attacked within the next year, a mere 17% have taken major steps to prevent attacks. According to IT researcher Gartner, one quarter of all digital security attacks will be directed through IoT devices and machines. It is this kind of mismatch that has given IT decision-makers a false sense of security about the coming changes in their more connected environments. Three-quarters of IT department decision-makers say they are “confident” or “very confident” that all the medical devices and equipment on their networks are indeed secure, a security survey of more than 200 healthcare IT professionals released in July by ZingBox found.

“In today’s healthcare environment, everything from patient monitors, imaging systems, smart beds, IV pumps, home patient monitors and more are IoT driven,” says Dean Weber, chief technology officer of Mocana, a secure technology provider, which recently introduced its own IoT platform. “If there is anything that recent news has taught us, it is where there are connected devices, there are vulnerabilities and cyber-attacks.”

Since security experts know many of the vulnerabilities that exist—ranging from no security to issues associated with authentication on multiuser medical devices—Weber says the industry needs to implement strong encryption.

The ZingBox study found that more than 9 out of 10 healthcare IT networks already have IoT devices in their system—and often as many as 10 to 15 of these Internet protocol-driven devices per hospital bed.

In healthcare, Weber says risk is measured in terms of loss of life, human safety and reliability of the systems. While data privacy is critical, “compromised systems directly [affect] patient care and can put the patient’s privacy at risk.”

“For this reason,” Weber adds, “it is imperative that these devices meet the traditional compliance standards, but also maintain strong cryptographic controls, including multi-factor authentication, secure boot, secure update, and secure, encrypted communications.”

Related

Black Hat 2017: Key Cybersecurity Vulnerabilities for Healthcare Systems

Black hat 2017: Hacking Healthcare Devices, Stopping Hearts and ‘Jacking’ Brains

Nuance Details Damages from NotPetya Attack: Money Lost, but PHI Safe