https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Connected Health Care


Getty Images

security.

Health Care Cybersecurity Hits Tipping Point

Once a theoretical risk, health care cybersecurity breaches are negatively impacting patients treated at facilities swept up in ransomware campaigns. 
  • Written by Brian Buntz
  • 7th November 2019

Once, the possibility of adversaries targeting medical devices seemed almost like a fairy tale. Sure, bogeymen could wreak havoc by targeting, say, networked hospital devices or utilities’ computers, but such possibilities seemed better suited for television plots than anything else.  

But a risk of health care cybersecurity began to grow harder to ignore roughly a decade ago when a string of researchers began to warn that a number of medical devices were vulnerable to cyber sabotage. In 2008, Kevin Fu, then an associate professor at the University of Massachusetts Amherst, demonstrated that pacemakers and implantable cardiac defibrillators were vulnerable to software radio-based attacks. In 2011, white hat hackers Jay Radcliffe and Barnaby Jack demonstrated vulnerabilities in a popular insulin pump model. A year later, Jack showed the feasibility of a pacemaker attack made famous in the Showtime series “Homeland,” while many insulin pump wearers took to hacking insulin pumps and continuous glucose monitors to enable new functionality.  

But at that same time, nation-state and terrorist organizations began to pay closer attention to health care and critical infrastructure as potential targets from a cyber warfare perspective, said Anura Fernando, chief innovation architect, medical systems interoperability and security at UL. In addition, organized crime is looking to health care and critical infrastructure for monetary gain for ransomware attacks. 

[IoT World is the global conference and exhibition that puts IoT, AI, 5G and Edge into action across industry verticals.]

And more recently, a growing number of hospitals have been targeted in ransomware campaigns, with some of them forced to delay patient care. Some institutions, such as the United Kingdom’s National Health Service, have inadvertently been swept up in broader ransomware attacks, such as WannaCry, which forced the institution to cancel 19,000 appointments. 

Fernando warns of the possibility that a terrorist organization could combine a cyberattack on health care infrastructure with a separate physical attack. In such an event, treatment of casualties from, say, a car bombing could be disrupted by a coordinated cybercampaign targeting nearby hospitals. Such an attack “could have much more devastating effects than it would if the health care system were operating properly,” Fernando said. 

Justin Fier, Darktrace’s director for cyber intelligence, said health care cybersecurity has reached a tipping point where breaches have begun to negatively impact patient care. The introduction of 5G could accelerate that trend. Fier said: “The question is: Are we as an industry even prepared for this 5G phenomenon, which is going to add connectivity to devices we never even thought connectivity would exist in?” 

Even before 5G becomes mainstream, there has been an uptick in the use of IT and IoT technology in health care in the United States was the 2009 American Recovery and Reinvestment Act along with efforts from the Office of the National Coordinator for Health Information Technology, Fernando said. At that time, there was a concerted push to deploy emerging technology to address health care’s biggest challenges. The top goals included reducing health care costs as well as improving the treatment of the elderly and those who weren’t close to health care providers. “All of those things accelerated the propagation of software-based and network-connectable healthcare technologies into this space,” Fernando said. And that, in turn, led to an increased attack surface. 

It’s perhaps not surprising then that attackers are taking advantage of the situation to attack everything from hospital workstations to CT machines. “One of our clients shut the entire wing down just because we found a number of open ports on [CT machines],” Fier said. Because the machines were connected to the patient network, an attacker who gained access to a CT machine could gain access to personally identifiable information. 

Hospitals have some of the most-difficult IoT infrastructure to manage from a security perspective because a significant number of devices are mobile. And then, a hospital is more difficult to physically secure than, say, a manufacturing plant. “That is something to think about in public institutions,” Fier said. “People are walking the halls who aren’t necessarily vetted.” Attackers in such a medical environment would likely have a plethora of soft targets ranging from unsecured networks to medical devices with open USB ports. “And then, of course, many hospitals are still utilizing FTP — File Transfer Protocol,” Fier said. He routinely shows customers in the health care industry how many physicians send out data using a non-HIPAA compliant transmission with patient information in the file name. “And that’s a scary thought when you think of nation-state access, scooping up the entire internet, you know, and looking at that data,” Fier said.  

While regulators, device makers and hospital IT staff have all made cybersecurity a priority, the health care landscape will likely continue to be an attractive target for cybercriminals, nation-states and other threat actors. “Contrary to what the U.S. government says about ‘not negotiating with terrorists,’ [employees in medical institutions] don’t necessarily have that choice,” Fier said. 

In terms of ransomware attacks directed at health care targets, the situation pressures hospitals to pay the ransom. “As long as they’re paying the ransom, [ransomware] is not going anywhere, anytime soon,” Fier said. 

If anything, trends popular in mainstream IT, such as the open-source movement and machine learning, could make ransomware more challenging to defeat. For one thing, the open-source ethos among cybercriminals has lowered the bar for attackers. The Mirai botnet of 2016, which shut down a portion of the internet, has given rise to a long list of variants thanks to its creators’ decision to make its source code available online. 

The same principle is at work with ransomware. “It doesn’t necessarily need to be a nation-state or APT that’s [behind ransomware],” Fier said. A lot of the libraries out there to do this stuff for open source. Now, you don’t have to be a major computing power to accomplish this anymore.” 

As far as machine learning and related technologies are concerned, Fier predicts cybercriminals to leverage chatbots for ransomware-related customer service operations. Criminals behind ransomware operations have provided professional customer service to aid victims in buying cryptocurrency. The use of “1-800 number help desk lines is a major security footprint for attackers,” Fier said. “I think you’re going to start to see them moving off of that model toward more of the natural language processing.” 

There are also signs that spammers are drawing on machine learning and natural language processing to make spam emails look more plausible. “We already see signs of that.” 

Fier also anticipates ransomware will ultimately spill over to the IoT realm. “What happens when a hospital gets attacked, but instead of hitting all the terminals, [attackers] only hit the IV pumps?” he asked. In such a scenario, a hospital would be coerced to pay a ransom quickly. “I think you’re going to start to see the ransomware get even more targeted than it already is,” he added. 

Such targeted attacks, within and outside of health care, are likely to be designed to inflict the greatest amount of inconvenience possible to accelerate their victim’s ransom payment. “I think ransomware is going to move into the residential space where you’ll come home after a long day of work, and your thermostat or your door locks are going to be locked out,” Fier said. 

“I think we’ve only seen the tip of the iceberg on the ransomware phenomenon,” he concluded. “As long as it’s profitable, I think you’re going to continue to see it grow and morph and change and become more and more advanced.” 

Tags: Connected Health Care Security Features

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Unlocking Telehealth Benefits Hinges on Data Integration 
  • Common Internet of Things Security Pitfalls 
  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?
  • Developing a Critical Infrastructure Cybersecurity Strategy

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

The eSIM Cookbook – Towards the Next Generation of Connected Devices

22nd February 2021

eSIM Delivers Greater Freedom for OEMs – by Beecham Research and Truphone

22nd February 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

IoT Remote Monitoring Helps Enterprises Traverse COVID-19 and Beyond dlvr.it/RtZ3K5 https://t.co/owJXYf1gkO

26th February 2021
IoTWorldToday, IoTWorldSeries

Securing the Industrial Internet of Things dlvr.it/RtYfYk https://t.co/khUn79dvQD

26th February 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @BluetoothSIG — the global standard for simple, secure wireless connections. ➕ Le… twitter.com/i/web/status/1…

26th February 2021
IoTWorldToday, IoTWorldSeries

How IoT Devices Can Enhance the Connected Customer Experience dlvr.it/RtPcvS

24th February 2021
IoTWorldToday, IoTWorldSeries

🤝 Meet #EIOTWORLD speaker Ingo Feldner, Project Lead for Virtual #Hardware Platforms at @RobertBoschGmbH 📅 Join hi… twitter.com/i/web/status/1…

24th February 2021
IoTWorldToday, IoTWorldSeries

Developing IoT Applications with Rust: Using a Rust Development Environment dlvr.it/RtNqrk https://t.co/wOmnoz2UVT

24th February 2021
IoTWorldToday, IoTWorldSeries

Chip-Enabled Edge AI Drives Next-Gen IoT dlvr.it/RtKcMQ https://t.co/dLjBzE6Qei

23rd February 2021
IoTWorldToday, IoTWorldSeries

The eSIM Cookbook – Towards the Next Generation of Connected Devices dlvr.it/RtG5bB https://t.co/5kXa8Pnv4T

22nd February 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X