Connected medical devices brought security loopholes mainstream
The increasing demand for self-health management, coupled with the digitalization of the modern healthcare ecosystem, translates into a medical connected devices market that is predicted to grow 20% every year, according to Infoholic Research.
Connected medical devices are proving essential amidst today’s new normal, but their mainstream adoption has also brought security loopholes to the fore. Fragmented systems have given rise to information silos and unencrypted devices, with hackers increasingly targeting health organizations and hospitals as a result.
It is worth considering what cybersecurity leaders can do as data security shapes up to be the health industry’s next battlefront.
The story so far: Coronavirus and healthtech
Medical connected devices have become a cornerstone defense for patients and healthcare workers over the past 12 months. The ability for devices to supply socially distanced medical information at a time when personal space and health insight are needed most has resulted in their astronomical rise.
From wearable IoT devices like smartwatches that provide a patient’s heart rate and blood oxygen level, to personal medical devices like hearing aids that can be calibrated remotely, these devices have proven vital for both patients and healthcare providers.
Smart devices have also played a key role in the fight against the pandemic. The integration of IoT devices with smart sensors and algorithms in the medical field, connected to an application via the cloud and other connected devices, have been very helpful in contact tracing.
Personal medical care and health data interoperability were already major hot topics in medicine before the pandemic, and now they are only growing with the expansion of medical connected devices. This is evident as a greater awareness and acceptance of newer technologies and higher spending on healthcare services is expected to see medical connected devices grow to $260 billion by 2027.
The dark side of medical IoT
The benefits of the mainstream adoption of medical devices are very much clouded by cybersecurity dangers. Most cheap medical devices are prone to the same issues as other cheap connected devices, namely poor security standards and limited or no encryption. This is especially concerning since backdoor entry into medical databases can reveal troves of sensitive information including insurance records and financial data. Moreover, hacked personal medical devices can, in specific scenarios, even be turned on or off by attackers.
As has been shown during the pandemic, sensitive health information is fodder for blackmail and ransomware attacks. Interpol issued an alert last year warning that cybercriminals are using ransomware to target healthcare organizations already overwhelmed by COVID-19. The warning noted that cybercriminals are “using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.”
These dangers are compounded by a health industry that has already shown itself to be a cybersecurity laggard. A study into existing internet-connected hospital devices found that more than 80% of medical imaging devices run on outdated operating systems. If such devices aren’t diligently updated with the latest version of their operating system, or are running an unsupported operating system, then hackers can exploit vulnerabilities to steal data, infiltrate a hospital network and disrupt care.
What cybersecurity leaders can do about it
While medical devices enable next-generation care, they can simultaneously open the door to bad cybersecurity actors. This should be worrying for patients and providers and requires immediate action from cybersecurity leaders. As always, there are additional security steps that can – and should – be taken to stop medical hackers in their tracks.
First, when it comes to firmware updates, it is advisable to initiate an orchestrated process that ensures only authorized administrators can make changes to the device and that the update is applied properly. An update failure should trigger an alert so the device can be otherwise secured or replaced by another device.
Second, for patients, cybersecurity leaders must give clear instructions on how to install and configure the device as well as the home network. This will translate into proper operation and a secure connection to transmit encrypted data from patient to doctor. One potential solution is to tailor the device connection type. For example, peer-to-peer connections bypass the public cloud to deliver encrypted information between user and device.
Third, for devices, strong authentication with public key schemes is a must. Similar to what is used by online banks, public key authentication uses cryptographic keys to identify and authenticate peers instead of a username and password. Using cryptographic keys for authentication has the advantage that they are practically impossible to brute-force crack and do not require the user to remember anything.
Moving forward, one solution that I particularly like is that of homomorphic encryption. This next-generation form of encryption allows any data to remain encrypted while it’s being processed and manipulated. This enables you or a third party (such as a cloud provider) to apply functions on encrypted data without needing to reveal the values of the data.
The worst mistake for healthcare cybersecurity leaders is complacency. The coronavirus pandemic has not only tested patient care but revealed glaring cybersecurity holes across the industry – holes that hackers are increasingly attempting to exploit.
At the same time, medical connected devices bring impressive benefits in remote and personal care. As devices increase throughout this decade, it is incumbent upon cybersecurity leaders to increase their network cybersecurity and device encryption.