IoT Connected Healthcare Devices: Challenges In Cybersecurity And The Way Forward
IoT devices are dominating the healthcare industry today. From patient monitoring to anesthesia to radiology devices, they form the wheels driving the medical sector. But, is human error the sole factor behind hard-coded credentials, lack of authentication, and other vulnerabilities, or is it because of wrong or lazy decisions?
Cyberattacks can have a catastrophic effect on patient safety, which trickles down to the medical staff's responsiveness. Health emergencies such as heart attacks are the win and lose situations where minutes decide whether a person will live or die. Hence, it becomes crucial to understand and mitigate the worst-case scenarios in case of such attacks.
What are the most critical endpoints when it comes to hospital cybersecurity?
Healthcare organizations are the new focus of attackers for carrying out Internet-of-Things (IoT)-focused cyberattacks. The most critical endpoints from the hospital security viewpoint are patient monitoring, ventilation, anesthesia, infusion pumps, etc.
The next critical pieces of equipment in the defense line are diagnostic machines such as lab and radiology devices, which can have a severe impact when faced with a cyberattack. Even wireless tags, connected washers, access controls, and other devices that play an insignificant role in medical flow can affect the medical staff's response time.
What is the relation between complex medical device value chains and the security of connected devices?
The complex medical device supply chains allow vendors and hospital administrators to pass the buck around the crucial security best practices. Hospital administrators think that device manufacturers are responsible, while device manufacturers believe security is the hospital staff's domain. The huge expectations from other people make medical device security difficult.
Hence, it is crucial to ingrain hospital device security at the earliest stages of development.
What are the challenges in vulnerability research of medical devices?
Challenges related to access:
● Device procurement costs are prohibitive.
● Government laws and policies which deter vendors from selling to non-hospitals.
● Complexities in installation, calibration, and configuration.
Challenges related to the relationship between vendors and researchers:
● If the relationship is not suitable, it will become challenging for both sides to work together to improve security.
● If hospitals continue to use vulnerable devices without patching, then a good relationship is also not fruitful.
Hence, it becomes crucial for all stakeholders to come together to dial down real-world exposure.
Responsible disclosure—are institutional bodies playing their part?
Cybersecurity is still a new sphere in which healthcare organizations are starting to enter. Not only the industry but the government and other national oversight bodies are still not entirely standardized. Due to this fact, organizations do not know what the reporting procedures, which controls apply to whom, who is the person responsible in case of a catastrophe, etc.
Similarly, it is often seen that factors that govern the disclosure timeline are opaque, and the guiding logic is unclear from the institutional perspective. The institutional bodies which oversee disclosures such as the CISA cannot often withhold disclosures until patches are developed. Hence, there is a need for CISA to work closely with bodies such as the FDA. They can make responsible disclosure crucial for the long-term security of the health industry.
Advice to the CISO who is in pursuit of security of the connected devices in the organization
Automation is the key to a secure health organization in today's world. The manual work of securing the connected devices, their numerous models, and deployments with a separate set of permissions and rules can severely burden the workforce and monetary resources of the organization. In the health industry, automation becomes crucial because there is a continually changing environment inside and outside the hospital.
The best option is to choose a solution that is tailor-made for the health industry. It will be familiar with the medical devices' unique protocols and will work round-the-clock to help detect and remove vulnerabilities.
IoT is the thread that is connecting everyday devices faster than ever. In the future, these devices (especially in the medical sector) will become the most significant liabilities from a security point of view. It will be cumbersome for manufacturers, who had kept cybersecurity on the back burner until now, to become experts in cybersecurity. Furthermore, agent-based security solutions require frequent updates, which becomes challenging in IoT devices. Hence, third-party centralized solutions are the go-to choice for the medical industry when it comes to the security of IoT devices.