By Nadir Izrael, Forbes | March 1, 2019
There will be an estimated 14.2 billion connected devices in use this year, and roughly 161 million devices will be cropping up in hospitals, clinics and medical offices by 2020. While security issues with any connected device are concerning, they are particularly troubling for an industry that has such a direct impact on patient safety and lives. In fact, patient safety was the top medical device security concern in the 2018 HIMSS Cybersecurity Survey.
We’ve seen a number of attacks targeting health care, including the Orangeworm group, which installed backdoors in health care organizations around the world last year, and the WannaCry and NotPetya ransomware, which shut down hospital computers and diverted ambulances around the world.
Medical records are an attractive and lucrative target for attackers because of all the different types of personal information they contain that can be used for identity theft and fraud. There have even been numerous data breaches involving medical organizations, and these typically result in hefty regulatory penalties and fines. In addition, there are other dynamics happening in the health care industry right now that are putting pressure on organizations, such as the nursing shortage (registration required). For example, we’ll see administrators turn to technology — in particular, medical internet of things (IoT) devices — to help them give existing staff tools to do their jobs more efficiently and with fewer manual tasks.
As we start the new year, I sat down to consider what I expect to see in the following months in this burgeoning connected device space. Here are six security predictions I have that will impact health care environments and their connected devices:
1. IoT Adoption Will Spike In Health Care
Connected medical devices give clinicians the tools they need to deliver better cutting-edge care. That explains one estimate that nearly 87% of health care organizations will have adopted IoT by the end of this year. But the increasing number of these devices in hospitals, clinics and in the field creates a huge attack surface that could impact patient safety and protected information. Over the next year, health care organizations will face these challenges by increasing their investments on security products that keep devices and networks safe from attacks.
2. Hospitals Will Become Primary Targets
The recent WannaCry and NotPetya attacks show us how exposed health care delivery organizations (HDO) are to attacks on connected devices. Since HDOs remain largely unprepared, and because attacks like these are lucrative for attackers, we unfortunately can expect to see more attacks like these throughout 2019.
3. IoT Health Care Attacks Will Evolve In Sophistication
New medical and diagnostic equipment is designed to connect — often in multiple ways and through multiple protocols. It’s not just Wi-Fi but Bluetooth and BLE connection protocols as well. And with these devices unprotected by traditional security solutions, they present a large, fresh attack surface where the goal will move from data exfiltration to data and device manipulation. Sadly, we have already seen such issues. This is why patient safety continues to be the top concern with these new devices.
4. Ransomware Will Still Be An Issue For HDOs
As we learned last year, CT scanners are now susceptible to being hacked, and we don’t see that changing. These critical devices are still an active target, given their importance for patient care and revenue generation. And whether an HDO pays the ransom or not, there are costs in addressing the medical devices taken down and improvements to their networks.
5. Medical Device Inventory And Visibility Will Become A Priority
Complete device discovery and asset inventory is the first critical step to any security strategy. But given the vulnerability of new medical devices, combined with a lack of visibility of these devices, will increase the need for health care organizations to identify these devices. In 2018, MITRE released its Medical Device Cybersecurity Incident Preparedness and Response Playbook and referred to medical device inventory as a “foundational principle.” HDOs need to know what devices and systems are connected to their network on a real-time, continuous basis.
6. CMIOs Will Become The Security Stewards For Medical IoT And More
Although most health care organizations find it easy to secure traditional laptops and smartphones, connected medical devices create an attack surface that their existing security products weren’t designed to handle. We believe spending on these devices will continue to outpace IT spending on security this year, and as awareness of the problem grows, so too will the urgency for chief medical information officers to formalize medical device and medical IoT security initiatives so they get ahead of the threat.
Clearly, we won’t be able to solve all the health care IoT security issues this year, but with increased attention and awareness, organizations can be better prepared to protect their systems and data.
As hospital security teams find their systems increasingly targeted by attacks, IT budgets are growing, and this will help them address some of the security issues. And CMIOs will likely look to secure not just medical devices but all devices across an HDO. But it’s not a problem traditional security software addresses adequately because of the nature of IoT devices, which have no security, can’t easily be updated (if at all), can’t be scanned and whose connections are out of reach of network and endpoint solutions. Health care security leaders need to start by inventorying all their medical and IoT devices and understanding the risks they pose and urging more secure design and development overall.
Nadir Izrael is Co-Founder & CTO of Armis, the agentless IoT security platform that lets enterprises see & control any device or network.