enterprisesecuritymag

How Do Healthcare CIOs Address IIoT Threats?

By Enterprise Security Magazine | Friday, October 04, 2019

IIoT has enormous potential to transform the healthcare industry, although it is surrounded by threats in different forms and has to be addressed adequately.

Fremont, CA: The necessity to save human lives elevates beyond limits with the onset of new diseases. This urge is driving technologies to develop groundbreaking innovations in the delivery of state-of-the-art treatment services. Like in many other sectors, the industrial internet of things (IIoT) has rapidly transformed the work and data infrastructure in health and medicine. IIoT enables easy access to medical data and information, thus making remote monitoring of patients seamless. IIoT has vast potential, especially in healthcare, to connect to the internet enabling ordinary medical equipment to collect and share essential data that gives healthcare providers and medical practitioners more significant insights into symptoms and treatment trends.

However, healthcare stakeholders should understand that IIoT adoption is prone to massive threats. Here's how CIOs address the associated IIoT threats in different healthcare areas to.

Medical Devices

There are many medical devices, each performing specific functions such as infusion pumps, anesthesia machines, dialysis machines, and respiratory ventilators, primarily used to monitor the patient’s vital signs. Updated versions of these devices can be connected to the internet allowing these devices to be linked wirelessly to remote areas and transfer collected information, such as the amount of medication a patient has taken to hospital information system (HIS). These medical devices can be attacked for patient information leading to inaccurate readings that can harm them under care. Researchers have uncovered a recent vulnerability in a brand of anesthesia machine, which could allow an attacker to remotely modify equipment parameters such as altering the composition of aspired gases that can put the patient at risk.

It is the responsibility of the manufacturers, distributors, and healthcare facilities to ensure that these devices remain safe for use. Stakeholders should be aware of impending threats and vulnerabilities so that they can be agile in mitigating possible risks. Government agencies like US food and drug administration (FDA) and the Department of Homeland Security to offer guidance through some medical device safety action plan. These plans can help mitigate the risks brought about by oversights in device safety and bring stakeholders together in addressing the oversights. Also, healthcare facilities can use virtual patching to manage vulnerabilities.

Hospital Information System (HIS)

Patient care does not only involve medical but also administrative, financial, and legal aspects. The associated information is integrated and maintained on a single platform, the Hospital Information System (HIS). This information includes medical history, legal, and others needed in a hospital’s daily operation. Thus safeguarding the integrity of such information is vital because of the critical information it holds. HIS presents a crucial target for any potential cybercriminal, such as personally identifiable information (PII) for patients, and it can be used for extortion. Further, HIS is susceptible to threats that include distributed denial of service (DDoS), ransomware, phishing attacks, and other threats from malicious actors. These malicious actors can manipulate data, steal information, and disrupt the hospital’s reputation.

Securing an HIS depends on network security. Splitting a network into sub-networks, a process called network segmentation, can reduce the risk of lateral movement. Encryption software also helps mitigate the consequences of data theft and loss.

Healthcare Systems Software

Medical institutions need software to control several systems they use to run and transfer information within institutions that hold the control for critical functions or information like patients’ PII. Even a slight exposure of the interface of such systems is a danger because a recent study revealed that among the exposed systems were software for record maintenance, pharmacy management, and patient scheduling. Even though the number of exposed medical systems is small, they contain valuable information that can be infected by potential attackers using ransomware. Also, the attackers gain access to other devices by using the compromised software as an entry point.

Medical institutions should ensure these software systems are not exposed online by preventing using careful configuration of these devices and systems, most importantly, those that contain PII of both patients and hospital staff.

Legacy Systems

It is evident that many medical institutions use legacy systems despite employing IoT devices in their facilities. They find it miserable to replace their legacy systems leading to extensive downtime that is impossible in a healthcare facility. But this puts them with severe consequences and danger. If medical institutions do not opt to replace their legacy systems, they should find some alternatives to strengthen their defenses through application security architecture. Employing solutions like virtual patching can mitigate the vulnerabilities that legacy systems face.

Wearables and Portable Medical Equipment

Wearables are mostly used by patients who have just been discharged from the hospital, and they are monitored continuously through IoT remote devices. These wearables provide necessary, real-time information, including heart rate, sleep duration, and blood pressure that are help users make healthier decisions. For example, glucose monitors periodically take blood samples to alert diabetic patients to take insulin, and heart rate monitors signal the onset of heart attack or stroke. However, these devices are also prone to risks. FDA has recently issued a warning against a specific brand of insulin pumps that replace pancreas functioning by releasing insulin and keeping the blood sugar levels within range. Attackers can send radiofrequency and change the nearby pumps’ setting. In such cases, the insulin pumps have to be replaced. These devices work remotely, and attacks on these devices could result in life-threatening situations.

Such portable devices that patients bring home or wear illustrate how users and patients share the responsibility of securing these devices. Patients who use such devices have to be careful in sharing the information about their devices by physically securing these devices and keeping it close to the user.

Other IoT applications

RFID technology, an IoT component can help hospital staff to quickly locate and identify equipment that will be used to treat a patient. Although they do not have direct effects on adding medical value, they ease the burden of staff while enhancing their focus on patients. However, integrators should map and manage their connected devices because they are the entry points for bigger targets. Deploying virtual fencing features will disable the devices when they are out of range.

IoT in healthcare has not attained full maturity and is still brimming with possibilities. Healthcare stakeholders must first understand the dangers IoT brings to the field when haphazardly implemented that could cause cascading problems to a broader community and take effective measures to secure it. 

Weekly Brief