Integration of IoT in healthcare and security problems
The Healthcare industry helps in saving the lives of the patients, improves and streamlines patient care and it has gone through various transformations due to the advancement of technologies in the diagnosis process.
Internet of things (IoT) devices in healthcare have been a revolutionary technology in healthcare which can be used to improve, coordinate, and aid in disease management. Healthcare-IoT has a significant impact on the progress of the healthcare industries. Applications of healthcare-IoT are remote patient monitoring, smart health, ambient assisted living (AAL), etc. all of which can generate a large amount of data at a regular interval.
There are between 10 to 15 healthcare IoT devices per bed and a large amount of health data is accessed and transmitted over the internet. The industry needs to have surveillance over the operation of those IoT devices.
With an insecure IoT framework for the healthcare system, an adversary can launch various attacks such as data confidentiality, privacy, and integrity attacks, all of which are of great concern. Malicious attackers can steal data, harm patients, or enact ransomware.
Delays in IoT device operation and compromised IoT devices, or any other minor mistake could threaten the patient’s life.
IT Administrators in a hospital are unable to tell how many IoT devices are connected to their network, type of those devices and whether the devices operate maliciously which creates a cybersecurity risk. As well, patients are more concerned about their health-related data privacy and feel quite insecure about the theft of personal information by third-party cloud service providers.
Examples noted below demonstrate how far reaching the threat of an insecure IoT framework in a healthcare system is:
-
WannaCry, NotPetya, and botnets have attacked medical IoT devices due to lack of security mechanisms and being an easy target for attackers.
-
In June 2019 a malware named Silex began operating and bricked IoT devices.
-
In 2018, other ransomware brought down the system in two Ohio hospitals (link). As a result of this attack patients needing emergency care were diverted away from the two hospitals.
-
The SingHealth data breach phishing attack breached 21,000 patients records in Minnesota, (link).
-
Another ransomware forced a hospital in Michigan to close after the hospital refused to pay the ransom to the hackers and hackers deleted all the patient records and appointments (link).
-
As a result of a data breach discovered in 2014, UCLA Health agreed to pay $7.5 million to settle a class-action lawsuit filed on behalf of victims. (link).
-
Irdeto Global Connected Industries Cybersecurity Survey showed that 82% of Healthcare IoT devices are targeted by cyberattacks (link).
-
Researchers in Microsoft warned that several hacking groups in different nations targeting commonly used IoT devices to access organization networks (link).
The Figure below shows a history of security attacks on healthcare data (https://doi.org/10.1016/j.comcom.2020.02.018)
In conclusion, IoT devices integrated into the healthcare industry have improved the services provided by hospitals and healthcare practitioners. However, building a secure IoT framework for healthcare has always been a challenging task, and maintaining full visibility over all medical IoT devices connected to the hospital network is of core importance.
Lack of a security framework and insufficient access controls have created an increasing attack surface that can be exploited by cybercriminals to steal personal health information and disrupt healthcare services. The exploit will not only lead to an immense financial and economic loss but also very importantly threaten patients' lives, specifically emergency care units. Therefore, hospitals must be able to detect, discover, and identify security problems in the healthcare IoT which include risk assessments and prevention. There is much work to be done.
