https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Connected Health Care


Getty Images

security.

Health Care Cybersecurity Hits Tipping Point

Once a theoretical risk, health care cybersecurity breaches are negatively impacting patients treated at facilities swept up in ransomware campaigns. 
  • Written by Brian Buntz
  • 6th November 2019

Once, the possibility of adversaries targeting medical devices seemed almost like a fairy tale. Sure, bogeymen could wreak havoc by targeting, say, networked hospital devices or utilities’ computers, but such possibilities seemed better suited for television plots than anything else.  

But a risk of health care cybersecurity began to grow harder to ignore roughly a decade ago when a string of researchers began to warn that a number of medical devices were vulnerable to cyber sabotage. In 2008, Kevin Fu, then an associate professor at the University of Massachusetts Amherst, demonstrated that pacemakers and implantable cardiac defibrillators were vulnerable to software radio-based attacks. In 2011, white hat hackers Jay Radcliffe and Barnaby Jack demonstrated vulnerabilities in a popular insulin pump model. A year later, Jack showed the feasibility of a pacemaker attack made famous in the Showtime series “Homeland,” while many insulin pump wearers took to hacking insulin pumps and continuous glucose monitors to enable new functionality.  

But at that same time, nation-state and terrorist organizations began to pay closer attention to health care and critical infrastructure as potential targets from a cyber warfare perspective, said Anura Fernando, chief innovation architect, medical systems interoperability and security at UL. In addition, organized crime is looking to health care and critical infrastructure for monetary gain for ransomware attacks. 

[IoT World is the global conference and exhibition that puts IoT, AI, 5G and Edge into action across industry verticals.]

And more recently, a growing number of hospitals have been targeted in ransomware campaigns, with some of them forced to delay patient care. Some institutions, such as the United Kingdom’s National Health Service, have inadvertently been swept up in broader ransomware attacks, such as WannaCry, which forced the institution to cancel 19,000 appointments. 

Fernando warns of the possibility that a terrorist organization could combine a cyberattack on health care infrastructure with a separate physical attack. In such an event, treatment of casualties from, say, a car bombing could be disrupted by a coordinated cybercampaign targeting nearby hospitals. Such an attack “could have much more devastating effects than it would if the health care system were operating properly,” Fernando said. 

Justin Fier, Darktrace’s director for cyber intelligence, said health care cybersecurity has reached a tipping point where breaches have begun to negatively impact patient care. The introduction of 5G could accelerate that trend. Fier said: “The question is: Are we as an industry even prepared for this 5G phenomenon, which is going to add connectivity to devices we never even thought connectivity would exist in?” 

Even before 5G becomes mainstream, there has been an uptick in the use of IT and IoT technology in health care in the United States was the 2009 American Recovery and Reinvestment Act along with efforts from the Office of the National Coordinator for Health Information Technology, Fernando said. At that time, there was a concerted push to deploy emerging technology to address health care’s biggest challenges. The top goals included reducing health care costs as well as improving the treatment of the elderly and those who weren’t close to health care providers. “All of those things accelerated the propagation of software-based and network-connectable healthcare technologies into this space,” Fernando said. And that, in turn, led to an increased attack surface. 

It’s perhaps not surprising then that attackers are taking advantage of the situation to attack everything from hospital workstations to CT machines. “One of our clients shut the entire wing down just because we found a number of open ports on [CT machines],” Fier said. Because the machines were connected to the patient network, an attacker who gained access to a CT machine could gain access to personally identifiable information. 

Hospitals have some of the most-difficult IoT infrastructure to manage from a security perspective because a significant number of devices are mobile. And then, a hospital is more difficult to physically secure than, say, a manufacturing plant. “That is something to think about in public institutions,” Fier said. “People are walking the halls who aren’t necessarily vetted.” Attackers in such a medical environment would likely have a plethora of soft targets ranging from unsecured networks to medical devices with open USB ports. “And then, of course, many hospitals are still utilizing FTP — File Transfer Protocol,” Fier said. He routinely shows customers in the health care industry how many physicians send out data using a non-HIPAA compliant transmission with patient information in the file name. “And that’s a scary thought when you think of nation-state access, scooping up the entire internet, you know, and looking at that data,” Fier said.  

While regulators, device makers and hospital IT staff have all made cybersecurity a priority, the health care landscape will likely continue to be an attractive target for cybercriminals, nation-states and other threat actors. “Contrary to what the U.S. government says about ‘not negotiating with terrorists,’ [employees in medical institutions] don’t necessarily have that choice,” Fier said. 

In terms of ransomware attacks directed at health care targets, the situation pressures hospitals to pay the ransom. “As long as they’re paying the ransom, [ransomware] is not going anywhere, anytime soon,” Fier said. 

If anything, trends popular in mainstream IT, such as the open-source movement and machine learning, could make ransomware more challenging to defeat. For one thing, the open-source ethos among cybercriminals has lowered the bar for attackers. The Mirai botnet of 2016, which shut down a portion of the internet, has given rise to a long list of variants thanks to its creators’ decision to make its source code available online. 

The same principle is at work with ransomware. “It doesn’t necessarily need to be a nation-state or APT that’s [behind ransomware],” Fier said. A lot of the libraries out there to do this stuff for open source. Now, you don’t have to be a major computing power to accomplish this anymore.” 

As far as machine learning and related technologies are concerned, Fier predicts cybercriminals to leverage chatbots for ransomware-related customer service operations. Criminals behind ransomware operations have provided professional customer service to aid victims in buying cryptocurrency. The use of “1-800 number help desk lines is a major security footprint for attackers,” Fier said. “I think you’re going to start to see them moving off of that model toward more of the natural language processing.” 

There are also signs that spammers are drawing on machine learning and natural language processing to make spam emails look more plausible. “We already see signs of that.” 

Fier also anticipates ransomware will ultimately spill over to the IoT realm. “What happens when a hospital gets attacked, but instead of hitting all the terminals, [attackers] only hit the IV pumps?” he asked. In such a scenario, a hospital would be coerced to pay a ransom quickly. “I think you’re going to start to see the ransomware get even more targeted than it already is,” he added. 

Such targeted attacks, within and outside of health care, are likely to be designed to inflict the greatest amount of inconvenience possible to accelerate their victim’s ransom payment. “I think ransomware is going to move into the residential space where you’ll come home after a long day of work, and your thermostat or your door locks are going to be locked out,” Fier said. 

“I think we’ve only seen the tip of the iceberg on the ransomware phenomenon,” he concluded. “As long as it’s profitable, I think you’re going to continue to see it grow and morph and change and become more and more advanced.” 

Tags: Connected Health Care Security Features

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Unlocking Telehealth Benefits Hinges on Data Integration 
  • Common Internet of Things Security Pitfalls 
  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?
  • Developing a Critical Infrastructure Cybersecurity Strategy

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Clearview AI has been fined $9.4 million for collecting images of people from social media platforms to add to its… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022
IoTWorldToday, IoTWorldSeries

IoT Product Roundup: PTC, Nokia, Arm and More dlvr.it/SQhNNF https://t.co/ZApdw3RHdu

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X