IoT security is a headache, a mess and several other flavors of annoying for any enterprise, but in healthcare, it can be literally life and death.
Compromising any connected device has two main consequences – one is to enlist devices into a botnet, like the security camera-capturing Mirai, and the other is to offer a passage deeper into any infrastructure the device is connected to.
+ALSO ON NETWORK WORLD: What is IoT? + Bluetooth Mesh takes aim at enterprise IoT, but hasn’t taken flight
But medical IoT poses additional security risks. For one thing, connected records systems and anything that contains personal information are attractive targets for identity thieves – your Social Security number is all over your medical records. Compromising a medical IoT device and pivoting to other targets on the network could result in a breach of these records, researchers have found.
Under certain circumstances, an attacker could exercise direct control over medical equipment, with potentially fatal consequences – witness the infamous hacked insulin pump, which first made headlines all the way back in 2011.
The key difference between traditional security and IoT security is visibility, according to Xu Zou, CEO and co-founder at IoT security specialist ZingBox. IoT devices are purpose-built, non-standardized, and run a vast array of software, making them much more difficult to manage centrally. Even with the advent of BYOD, the number of different endpoint types an IT department has to manage is relatively limited compared to the panoply of IoT devices.
Traditional endpoints have users or administrators attached to them, who can see notifications about patches and work to apply them in a timely way. That’s just not the case for connected medical devices, and it means that a traditional, agent-based approach to IoT security is doomed to failure, noted ZingBox head of marketing John Yun.
“You can’t just say ‘let’s download a Microsoft patch and put it on an infusion pump’ and then five minutes later hook that up to a patient,” he said.
There are between 10 and 15 connected devices at the average hospital bed, according to Hamid Karimi, a Silicon Valley veteran and global vice president of business development and OEM at BeyondSecurity.
Karimi said that the least secure medical devices tend to check three specific boxes: One, they’re designed in isolation, meaning that the designer was thinking only about core functionality, and not security. Two, there’s a use case for them that goes beyond their design spec. Finally, they have an Internet connection.
Cardiology and radiology devices are frequently vulnerable, according to Karimi. Devices that generally operate within their own little silos, but are subsequently connected to the Internet are often vulnerable because they weren’t designed to protect themselves against the sophisticated attacks that can come from the Internet.
The key motivator is financial benefit, according to Karimi. “A lot of medical data clearly includes information that could be used for financial fraud – your social security number, your email address.”
“Barring things like espionage or assassination attempts and so forth, it’d be a case of holding data hostage, with the aim of making a provider pay,” he said.
The issue is compounded by a lack of security expertise in the medical IoT field, he added, and there’s a concomitant lack of concern around the whole problem. The makers of medical IoT devices simply haven’t prioritized the issue despite the evident flaws present in many of their products.
“The problem is all these manufacturers look at security as a feature of a device, or a feature of a service that needs to be outsourced to a security expert,” he said. “The biggest issue is that neither the regulations nor the manufacturers regard security as a critical piece of the overall design process, and therefore, the security controls are left to the manufacturer’s discretion.”
There has been some recognition of the issue at the federal level – a Senate bill introduced this week takes aim at the legal liability end of the problem, mandating that IoT devices sold by vendors to the federal government meet minimal security standards, and it’s possible that this could push the industry to clean up its security act.