The boon and bane of IoT in Healthcare.
According to the Australian Cyber Security Centre (ACSC), the healthcare industry was amongst the top sectors that reported the highest number of breaches to the ACSC in 2020, receiving 166 incident reports. This is almost double the number received in the previous calendar year where there were only 90 reported incidents affecting the health sector. The same report found that the highest proportion of health sector incidents reported to the ACSC related to compromised systems (52%).
Healthcare institutions, including pharmaceutical organisations, are frequent targets for cyberattacks for several reasons. Healthcare institutions are entrusted to safeguard copious amounts of sensitive data including intellectual property (e.g. Vaccine research) and personally identifiable information (PII) such as medical and insurance details, which can be sold for profit to other parties or on the black market. Alternatively, threat actors have also been known to use personal/sensitive data as blackmail material. Healthcare institutions are considerably more likely to accept ransom demands and blackmail because of the highly time-sensitive nature of healthcare services, especially if there is a potential for life-threatening consequences.
One key security vulnerability which is distinct to the healthcare industry is IoT security in medical devices (MRI, X-Ray, equipment for drug manufacturing etc.), obtained from third party sources. Considering many of these IoT medical devices were not built with security in mind, modern threat actors are able to easily access sensitive data housed by IT systems in healthcare organisations by taking advantage of their vulnerabilities.
Therefore, we aim to delve into a single key component of healthcare cybersecurity: IoT Security. However, before doing so, it would be pertinent to first establish an understanding of the various ways IoT has transformed the healthcare industry.
IoT meets healthcare: How IoT has redefined the industry
Enhanced Patient Care and Research Capabilities in Pharma: One of the key benefits of IoT is the ability to use big data; with access to higher volumes of data, decision makers, researchers and healthcare professionals would be able detect patterns and gain actionable insights. In several contexts, the ability to detect patterns have also allowed healthcare professionals to provide proactive care to patients, significantly increasing healthcare service effectiveness.
Telehealth Capabilities: Connectivity afforded by IoT devices allow for a smoother shift to telemedicine and remote services. The ability to offer remote healthcare services has helped tremendously in releasing a considerable burden on healthcare providers during the ongoing pandemic. Furthermore, without the need to physically go to hospitals and clinics, members of the public with curable health concerns were able to reduce the risk of COVID-19 exposure, while getting the help they need in a timely manner.
IoT Security Challenges
Unlike most other industries, healthcare institutions, particularly hospitals, have a multitude of old connected medical equipment such as MRI machines, X-ray machines and heart pumps, most of which are based on legacy systems that are challenging to maintain with extremely weak security infrastructures.
In addition to that, healthcare organisations today are bursting with new connected medical devices such as implantable medical devices such as pacemakers and smart office equipment such as smartwatches, electronic ID badges and other personal communication devices that can access the organisation’s network.
While these connected medical devices help doctors, nurses, and researchers deliver faster, higher quality care, they also create an attack surface that most healthcare delivery organizations can’t secure. Furthermore, these devices can’t take an agent, are hard to update, lack a standardised interface/system, and can’t be seen or managed by traditional security products. All of this puts sensitive data, operations, and patient safety at risk.
Having discussed how IoT has transformed medical research and patient care along with security concerns, the key challenge faced by IT leaders in the healthcare industry is striking a balance between providing the best medical care possible in an IoT network that is most secure.
Getting The Basics Right: Establishing a Core Competency in Security
One of the biggest challenges faced by CIOs and IT leaders today is with regards to modernising legacy systems with a secure, impenetrable infrastructure. While it seems like a significant undertaking, it helps to start with the basics, as with anything: Lay down a solid foundation; this involves integrating security into the infrastructure’s core from the processor level, from hardware for employees to third-party equipment.
Modernizing IT infrastructure involves refreshing systems with new processes and advanced devices, building an infrastructure with security at its core. Built-in at the silicon level, companies should invest in processor technology that is designed from the ground up with security in mind to be highly resistant to today’s sophisticated attacks, helping to protect sensitive data across all platforms connected to the organisation’s network.
With the boom in telehealth and remote working, healthcare professionals and researchers are working from home, which means they are connecting to traditional home networks. Considered less secure than enterprise networks, remote users’ computer systems can be perceived as a weak security link and thus more prone to cyberattacks. To stay ahead of threats from opportunist hackers, it is imperative that employees are provided with integrated hardware and software solutions that offer comprehensive security features for the entire system. This is precisely why all AMD processors with PRO technologies come with multi-layer security built in.
Work with security consultants and trusted hardware manufacturers who focus on delivering outcome-based solutions to customers, with security and simplification first. AMD works closely with operating systems (OS) and original equipment manufacturers (OEMs) to provide hardware security features that complement and strengthen their own security design.
IoT Security Best Practices
With a security-first foundation in place, healthcare organisations will be in a better position to identify exactly where IoT-specific security upgrades are needed, and how to go about incorporating these in the more cost- and time-efficient manner. It would be wise to begin this journey by conducting security assessments in areas with the greatest IoT security vulnerabilities, before investing in robust technologies.
Conduct a full security assessment for asset management and visibility. Even the largest organisations struggle to have an accurate and detailed inventory of every asset in their environment. However, building an impenetrable security infrastructure can only begin when all devices (old and new) accessing your organisation’s private network are accounted for. Security Assessments can also include validating the implementation of technical controls under industry or government frameworks, such as the hardening guide in the Australian Cyber Security Centre (ACSC).
Robust IoT-specific security technologies. The need for OT security is changing as these environments are rapidly being connected to enterprise networks and exposed to threats coming from the Internet. While these connections make it easy to gather data and remotely manage the OT environment, they also create entry points for attackers. In contrast, an IoT-specific Security solution does not require any agents and hence is able to secure all types of connected devices. These include OT, IT, and IoT devices. This is important because attackers see all these connected devices as one continuous system. A siloed security system that myopically sees just one of these environments simply does not keep OT systems secure. Over the years, securities technology has improved by leaps and bounds, providing simplified solutions with a multi-faceted approach to mitigate risk. For instance, AMD Infinity Guard provides a unique and robust set of security features that help complement industry ecosystem partners at the software and system levels.
Leveraging IoT, the strides made in the healthcare industry are momentous with far-reaching benefits. To sustain this development, IT leaders in the healthcare industry are urged to explore solutions and services to secure the devices doctors and clinicians use to deliver faster, higher-quality care without compromising the safety of patient’s health, safety, or sensitive medical information.