Healthcare’s Newest Security Threat: IoT

by Phil C. Solomon on February 1, 2017

in Healthcare Security,Revenue Cycle Management

One of the greatest technological achievements in the 21st Century was is the creation of the Internet.  Its formation has effectively changed almost every aspect of business and personal communication.

The newest threat to cybersecurity is the proliferation of Internet of Things (IoT)—connected physical and smart devices that have embedded technologies including electronics, software or sensors that allow for network connectivity.  IoT enables objects to collect and exchange data to anything connected to the internet.  With healthcare’s increasing reliance on connected devices that leverage IoT and the growth of Telehealth, providers and facilities are more vulnerable than ever to cyber-attacks.

Internet connectivity has created the potential for IoT.  In 1990, John Romkey created the first IoT device (a toaster that could be turned on and off over the Internet), even before the first web page was ever created.  IoT is spreading faster than expected.  Gartner Inc., an IT research company, reports that beginning in 2017, more than 6.4 billion devices will have IoT connections and they estimate it to rise to more than 20 billion by 2020.

Recently, healthcare security has become the lead story in the news because of its data breaches, major software attacks and a stream of reports about new vulnerabilities in cybersecurity.  These growing problems have catapulted the healthcare industry into the top spot surpassing the financial services sector as the industry with the most number of security incidents.  IBM X-Force named healthcare as the number one industry segment for cyber-attacks in their 2016 IBM X-Force Research Cyber Security Intelligence Index Report.  To base their conclusions, they evaluated billions of security incidents in over 100 countries.

The increasing use of IoT will only add fuel to the industry’s current cybersecurity problems.  Nevertheless, the potential benefits of IoT outweigh the security risks.  Networked IoT devices, such as wearable sensors and home monitoring systems, will increase access to diagnostic testing, comparative treatment, and could significantly reduce medical errors.  These and other attributes are the driving force for the growth of IoT.  Allied Market Research predicts IoT to reach $136.8 billion by 2021, up from $60.4 billion in 2014.

Historically, cybersecurity’s focus in the healthcare industry has been to protect against breaches of patients’ protected health information and most recently, on preventing ransomware attacks.  (Cyber-criminals have been using ransomware to lock health professionals out of their systems and make electronic medical records inaccessible.)  Technology professionals need to be concerned with these threats as well as a host of rapidly developing criminal tactics.

Cyber-crimes Across All Industry Sectors

Cyber-crimes are rising at an unprecedented rate and have affected every industry sector, with healthcare having the largest number of security incidents.  Recently, the exploitation of human vulnerabilities through attacks on systems via email and social media has become rampant.  Hackers use shared information to construct effective spearphishing emails that can be used to socially engineer people into doing things that put computer systems and data at risk.  No industry is immune to hacking.  Even the social media industry-one that employs highly skilled developers and security personnel has experienced serious hacking incidents with worldwide repercussions.  In May 2012, a Russian hacker was responsible for a massive LinkedIn data breach in 2012 where account details of 117 million users were as stolen and leaked online.  The breach allowed a cyber-criminal to buy and use the stolen passwords to hack social media accounts for Google’s CEO Sundar Pichai and Facebook’s CEO Mark Zuckerberg.  In an interesting twist, Facebook exposed over six million users’ personal information that eventually was leaked to the hacking community.  Hackers pounced on the opportunity for financial gain when Facebook decided to buy back the information on the black market to plug holes in their security.  They combined the stolen information with their encrypted data to build in safeguards to eliminate further breaches.

Newfound vulnerabilities such as ransomware have hit numerous industries, with healthcare being the most frequent.  Current estimates from the Cyber Threat Alliance estimated the damage caused by ransomware at $325 million, up 1,800 percent since the Federal Bureau of Investigation’s (FBI) ransomware report in June 2015.

Today, sophisticated hackers do not just steal information; they can access data and change it.  For example, cyber-criminals can take actions such as changing data used in public company reporting that can materially affect business strategies, financial performance and stock prices.

Cyber-attacks containing personal and financial information are concerning but, they pale in comparison to the threat of breaching IoT in healthcare.  As wearable, implantable and connected medical devices are developed and used, the potential to harm patients through hacking IoT devices is becoming a top concern for cybersecurity professionals.

IoT Threats for Healthcare

Healthcare’s IoT security remains a critical issue, with new attacks and vulnerabilities uncovered every day.  As IoT gains traction and acceptance, the capabilities of web-enabled and network-connected products and systems will increase exponentially.  While the rise of connected devices may provide better monitoring and safety for patients, the proliferation of risks associated with IoT increase in tandem.

IoT devices have major security risks because developers and manufacturers are not prepared to handle the issues associated with healthcare cybersecurity and have not created necessary safeguards.  IoT threats offer a different set of challenges because they can have real-life, physical repercussions for patients offering greater and more lethal risks than any other cyber-threat.

The number of cyber-attacks is growing, and so is the cleverness of these attackers.  Therefore, it is vital to evaluate IoT devices and systems for cybersecurity flaws to ensure dependability, decrease downtime and improve security to maintain the health and safety of patients.

IoT Security and Cyber-Defense Readiness

In a February 2016 report, Securing Hospitals; A Research Study and Blueprint, the group Independent Security Evaluators outlined four steps health organizations can take to ensure effective IoT cybersecurity.  They are:

  1. Incident Response

Security breaches will occur, and it is important that the facility staff be prepared to deal with these situations.  The procedures for organizations should include what to do in the event of a security breach and to make sure that the organization’s research and mitigation plans are put in place.

  1. Disaster Recovery

Cybersecurity needs to be a key component to all existing facility’s disaster recovery plan.  These plans need to be reviewed and assessed as a part of an overall preparedness plan.  While disasters are unlikely, they need to be simulated so that the security team has adequate practice in how to respond to these incidents.

  1. Red Teaming

From time to time, it is valuable to test the actual effectiveness of facility and systems security and its teams’ readiness to mitigate its negative effects.  Red teaming is the act of performing announced (or unannounced) attacks to see how teams respond, thereby eradicating failures and other problems that may occur.

  1. Contingency Plans

The typical course of business itself can set events in motion that cause security to fail.  For instance, the turnover of key personnel, the rapid reduction or reallocation of budgets, lawsuits and audits can all drain personnel resources that can adversely affect the security posture of an entire organizational infrastructure.  It is important to have these contingencies identified and contingency plans in place in the event they occur.

Summary

IoT devices have the potential to benefit device manufacturers, patients and healthcare professionals.  These devices will make it easier for providers to monitor and treat patients remotely, which means patients will spend less time in hospitals and experience better clinical results.  Healthcare organizations can increase successful IoT use by creating and continually updating a multilayer cybersecurity program designed to safeguard their patients.

________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Marketing Strategy for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business development and client engagement. Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical and revenue cycle performance improvement.  He has worked with industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. He can be reached at philcsolomon@gmail.com

photo credit: Tumitu Design

Leave a Comment

Previous post:

Next post: