Why IoT Security Issues Still Loom Large in Health Care

According to recent research from IoT security company Zingbox, health care organizations are wrestling with an array of IoT security issues.

Brian Buntz

March 20, 2018

3 Min Read
Health care
Thinkstock

In one perspective, IoT devices are the inverse of traditional IT devices such as desktops, laptops, mobile phones and the like. Such people-facing devices are generic in their intended function but are architecturally similar. IoT devices, conversely, are diverse architecturally but tend to be function-built for a narrow outcome. While IoT devices often support human input, their main purpose is to act autonomously. Many IoT devices thus lack the horsepower to support software agents to help automate device security. And yet, because IoT devices interface with the physical world, IoT security issues can potentially cause physical harm. 

In few places is this unique combination of traits and risks more evident than in the medical device industry, where bad actors can potentially take control over devices ranging from infusion pumps to pacemakers to X-ray machines. Making matters worse, a recent survey of 50 hospitals from IoT-focused health care-security specialist Zingbox reveals that sloppy security is standard in the landscape. Outdated operating systems and software comprised one-third of the security problems found. Rogue applications and internet-browser-related risks jointly made up 41 percent of the security risk the study authors reported. Unprotected communications and weak passwords comprised an additional 11 percent.   

“There is certainly an opportunity to educate employees on the acceptable and secure way of using medical devices,” said John Yun, head of marketing at Zingbox. Just because an internet-connected medical device has a browser, “doesn’t mean you should use it to visit websites, check emails, stream music, etc.” Yun said. And while hospitals typically have security protocols in place for devices such as PCs and laptops, many aren’t focused on IoT security issues. “From our findings, the vast majority of user practice issues stem from employees unaware of sound security practices and not from intentional acts to infect or disable connected medical devices.” 

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.] 

The less-than-stellar security situation can attract financially-motivated cybercriminals who seek to steal patient records. Hospitals suffering from such theft can be hit with fines based on each record lost. “Disruption of service cannot be easily quantified since it has other damages such as loss of life,” Yun said.

Health care organizations should increase their focus on security as medical devices become increasingly connected. Once a medical device is reachable via the internet, there are an array of potential hazards to watch out for, as well as the chance that malware could propagate from one device to another, Yun said. “In addition, the management of devices has not evolved to leverage other benefits of networking such as updating real-time inventory, locating devices, gaining insight into device utilizations and so on,” he added.

JohnYun_1.jpg
Health care institutions should also ensure that connected medical devices have the latest software. “Many devices simply aren’t designed to be updated OTA,” Yun said. “Not only that, many manufacturers are not able to respond to vulnerabilities and threats in the speed necessary to secure such devices in real-time.” For one thing, any update of a critical medical device must ensure that it doesn’t cause inadvertent problems that may inadvertently harm a patient. Yun concluded: “Simply updating to the latest patch may be a risk we take with our PCs, but not our X-ray machines.” Imaging systems, incidentally, are the top source of cybersecurity risks within hospitals, making up 51 percent of such threats according to the Zingbox research.

And while there is room for improvement when it comes to the IoT security issues in the medical landscape, health care organizations have the potential to emerge as IoT security pioneers in the wake of last year’s high-profile cyberattacks targeting hospitals internationally. “Health care organizations have experience in being audited, held to specific regulations and securing health care records,” Yun explained, all of which could help them build on their current security foundation. “They also have budget and processes in place to implement solutions to react to the latest cyberthreats and service disruptions.”

About the Author

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like