The Internet of Things (IoT) is increasingly becoming a popular topic of choice in the cybersecurity industry and for unfortunate reasons. In short, the Internet of Things is the name applied to a wide variety of devices that connect to the internet. These can be routers, cameras, smart light bulbs, and medical devices. Unfortunately, the security of these devices is less than stellar and they pose a real risk to multiple industries.
For health facilities such as hospitals, their security vulnerability is exacerbated by the large infrastructure that is increasing with the adoption of wirelessly connected medical devices. This array of new IoT devices has paved the way for technological and medical advances like never before, benefiting hospitals and patients alike. However, with a speedy delivery and implementation, the security of such devices has been less than an afterthought, and now present a real security risk to the networks they’re connecting to.
We recently covered how many Internet of Things devices have become exploited en masse by the Mirai Botnet, where it’s being used to engage in targeted DDoS that look to bring down websites. Because these IoT devices are using legacy protocols such as Telnet and FTP for ease of use, they also make exploitation an easier task for hackers. Hackers often exploit these devices by first finding them through automated scanning processes that look for internet-connected devices and brute-force password combinations, taking advantage of the default passwords that are often intact in the devices.
The risk for IoT medical devices isn’t limited to a botnet or malware infection, rather if the IoT device is accessed via its default password or any other means, it can provide an access point into the organization’s network, which can lead to a data breach.
Because a medical organization’s personal health information (PHI) is such a valuable asset, malicious actors can limit their search and specifically target devices connected to a healthcare organization in order to access their network and exfiltrate sensitive information. Other consequences may be even more dire. If a hacker is specifically targeting an individual or a group, they can access vulnerable medical devices that connect to the internet and execute arbitrary code, either forcing the device to malfunction or not function at all, putting the person who’s reliant on the device at risk.
IoT Security is Attracting Attention From Regulators and Other Agencies
In mid-Summer 2015, the US-CERT released a warning on a Hospira PCA LifePump medical device that had a number of vulnerabilities, including a hardcoded password, that left it open to a remote exploit vulnerability, potentially putting anyone using the device or the network it was connected to at risk. It was one of the first times a warning referring to a medical device was posted. Since then, other regulatory bodies, security researchers, and organizations have increased their attention on IoT security. Earlier this year, MedSec Holdings, a research firm announced that a number of St. Jude cardiac implants were susceptible to hacking, a claim disputed by St. Jude. The day of the announcement, St. Jude’s stock dropped 5% and the FDA is currently investigating the claim. The consequences of weak IoT security don’t stop at malicious actors, the business impact is real as the issue becomes more of a mainstream topic.
Back in June of 2016, a report was released noting that the NSA was looking to exploit medical devices in order to improve intelligence by exploiting the device to facilitate monitoring and spying for information gathering purposes. On the other side of the government spectrum, the National Institute of Standards and Technology (NIST) issued a draft report on standardizing lightweight cryptography aimed to improve the security of IoT devices used in manufacturing, industrial, and healthcare industries among others. NIST released the draft back in August and was taking comments on the report until the end of October.
In the private sector, the Industrial Internet Consortium, a cross-industry group made up of healthcare, energy, manufacturing, and transportation companies such as General Electric, IBM, Intel, Toyota and others took a role in promoting IoT safety. They released the Industrial Internet Security Framework IISF in September 2016, a security framework aimed at IoT devices manufacturing that hopes to tackle the security issue from a manufacturing perspective while also providing guidelines and best practices.
While it’s too early to tell whether or not the additional attention and released framework will bolster IoT security, the conversations stemming from both private and government organizations do provide a form of optimism for the industry as a whole.
Simple Steps Healthcare Organizations Can Take To Protect Their Patients
There’s more that an organization as a whole can do to avoid exposing their network to potential hackers. When it comes to common IoT devices such as routers, cameras, and even smart-products such as bulbs and TV’s, it’s important to perform due diligence to purchase the most secure options. However, multiple options may not be available for specialized medical devices. In those cases, the first thing to do, as we noted in our coverage of the Mirai botnet problem, is to change any default administrative passwords found on the device. Because there are a number of automatically scanning processes set up by hackers made to infect IoT devices, changing the passwords of devices prior to connecting to the internet is a good way to safeguard from automated attacks.
CISOs and other heads of information security should segregate sensitive network assets and employ network segmentation in order to reduce the risk of exposure all internet-facing devices pose to a network. Medical IoT devices should be segregated from portions of the local intranet that are used for administrative tasks and the same should be done with all internet-facing devices, including printers, routers, and cameras.
The Healthcare Industry’s Internal Risk Factor
Unfortunately, the healthcare industry is also facing an internal risk that may lead to even worse consequences: their own employees.
Social Engineering is one of the most common ways hackers are accessing a company’s sensitive information. By taking advantage of employees who aren’t as versed in security, hackers can eschew complicated technologies to simply obtain sensitive information or credentials to enter into a network utilizing psychological methods. In our next blog post we’ll discuss how the Healthcare Industry is especially susceptible to Social Engineering attacks and what they can do to improve their employee security awareness.
For a complete look into the security performance of the entire healthcare industry, download our 2016 Annual Healthcare Industry Cybersecurity Report Below.