Remember when it seemed like the most that would happen if your personal information was compromised was that you’d have to get a new credit card (or two or three) and notify any merchants that had your numbers on file to update their records? It’s hard to believe you may one day pine for the relative ease of those simpler times.

What could be worse than having your identity stolen? How about having your personal health information (PHI) leaked or, worse still, having your health compromised by a cybercriminal?

Why would someone want to steal your PHI? While hard and fast numbers are difficult to come by, it has been widely reported that such data can fetch around $50 per record on the black market, which is substantially more than a credit card number would typically be resold for. A more sinister motivation involves blackmail, where the attacker leverages the personal nature of the information to extort payments or specific actions on the part of the victim.

That sounds bad enough, but it could get a lot worse.

The Internet of Medical Things

Imagine the case of a cardiac patient with an implanted pacemaker or defibrillator. Such a device can literally be a lifesaver — when operating properly.

That last bit is important. Medical equipment of this sort is not of the “set it and forget it” type. It needs regular monitoring and adjustment by a trained medical professional. What happens if the patient lives 200 miles from the nearest clinic and frequent travel of this duration would be a hardship?

A solution that the device manufacturers have cooked up involves adding a wireless control capability so that adjustments can be made without having to open the patient’s chest. Better still, the telemetry can be gathered at the patient’s home and transmitted automatically to the physician, who can, in turn, make adjustments to the device remotely. This allows for more frequent tweaks at lower cost and a better quality of life for the patient — a win-win scenario, right?

The Downside

If the good guys can do this, then there always exists the possibility that the bad guys can, too. With the wrong person at the controls, a lifesaving device can become a killing machine.

Before you dismiss this scenario as scaremongering, bear in mind that more and more such medical devices are being rolled out every day. Some are implanted in the patient’s body, as in the previous example, and some are external, such as an insulin pump with wireless controls. The fact is that these great gadgets are increasingly being connected to the Internet, therefore making them and the people who depend on them more vulnerable.

Attacks of this sort have been demonstrated repeatedly. Dating back at least as far as 2008, insulin pumps have been shown to be hackable. In 2013, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert that reported researchers had found “a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.”

The report went on to say, “The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to: surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors and laboratory and analysis equipment.”

In other words, the vulnerability was not isolated, but rather spanned a wide variety of vendors with an even wider variety of devices. Throw in the fact that some of these devices and their vulnerabilities could be networked and the risk increases further.

If you think that equipment of this sort isn’t networked, point your browser to Shodan, which bills itself as “the world’s first search engine for Internet-connected devices.” Think of it as Google for the Internet of Things (IoT). On this site, you can find networked gear ranging from unsecured webcams to equipment in health care facilities. With more and more devices coming online, you can expect this list of exposed endpoints to continue to grow.

Now That Health Has Your Attention…

So now you hopefully have a sense of the scope and danger that exits. What about a solution?

Clearly, we have our work cut out for us. Security professionals need to work hand in hand with medical device manufacturers to ensure that the necessary critical thinking happens during the earliest design stages. They can also apply best practices and lessons learned from decades of defending corporate networks to this relatively newer ecosystem of interconnected lifesavers.

The health care industry needs to develop standards and certification programs to establish baselines for what constitute due diligence in this area where IoT and medicine meet.

Consumers have to pull their weight and ask critical questions of health care providers just as they would with other significant purchases. At the same time, regulatory agencies need to step up their game and provide necessary oversight before patients are put in harm’s way.

The path forward promises amazing ways to improve outcomes, quality of life and longevity for patients as we leverage advances in health care and computing technologies. We just need to take care not to allow these medical marvels to be hijacked along the way.

More from Healthcare

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

4 min read

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

8 min read - IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

8 min read

Incident Response for Health Care IT: Differences and Drivers

4 min read - Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

4 min read

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

3 min read - Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…

3 min read