Medical IoT Needs Stronger Dose of Security, Survey Finds

One of the most exciting developments we’re seeing in the highly connected, real-time Internet of Things is the ability to connect medical devices that provide real-time monitoring of patients’ health. We see this on the more casual level with Fitbit-class bracelets that keep track of heart rates and measures physical activity. Implanting devices that can be administered and updated from remote locations also opens up new worlds of possibilities with more hard-core medicine.

Pacemakers are a great example. Previously, they were obtrusive boxes that had to be planted, via major surgery, into a patients’ chest, and periodically removed, via further surgery, for maintenance. A few years back, they evolved to extremely small devices, attached to a wire that could be monitored by patients making a simple phone call and holding the receiver up to their chests.

Along with pacemakers, there at a wide range of medical devices now feeding real-time data to medical professionals and administrators, including infusion pumps and patient monitors to imaging systems and medical device gateways.

While progress has been awe-inspiring, unfortunately, security threats have been growing as well. As the medical IoT grows, so do threats emanating from the various devices linked to the network — and that includes the computers in clinicians’ and administrators’ offices.

See also: 5 ways that IoT is reshaping healthcare

A new study from ZingBox, for example, finds medical devices make up less than a quarter of all devices found in dedicated medical networks – another 43 percent of devices in networks dedicated for medical devices consist of PCs, the report shows.

The most common types of security risks were found to originate from user practice issues — such as the use of use of embedded browsers on medical workstations to surf the web, conduct online chat or download content — accounting for 41 percent of all security issues. This was followed by outdated operating systems or software such as the use of legacy Windows OS, obsolete applications, and unpatched firmware. These issues account for 33 percent or one-third of all security risks found on connected medical devices. Use of unauthorized applications (22 percent) and browsers (18 percent) make up the bulk of user practice issues and are the leading security issues for connected medical devices.

The ZingBox researchers explored the behavior of medical devices deployed in more than 50 hospitals, clinics, and other healthcare locations, analyzing tens of thousands of devices resulting in security issues covering vulnerabilities from user issues to outdated software.

Some devices are more exposed

Certain devices were more exposed than others in the medical device side of the IoT. The report showed infusion pumps, used by 46 percent, are the most widely deployed connected medical devices but are not the leading cause of security issues. However, imaging systems, used by 19 percent, rank number one — the source for 51 percent of all security issues. “While infusion pumps make up nearly 50 percent of connected devices in hospitals, they don’t represent the largest cyberattack surface,” said Xu Zou, CEO and co-founder of ZingBox. “Security issues relating to infusion pumps were only at two percent. However, attention to protecting these devices should still be a priority since a successful attack on a single infusion pump could result in disabling the bulk of all infusion pumps through lateral movement and infection.”

Of the seven network applications typically found in imaging systems, an average of three applications are for communications with devices outside the organization. The majority of other devices include applications which predominantly communicate with other devices and servers within the organization’s network.

The report’s authors provide recommendations for running a more secure medical IoT:

Seek real-time visibility into device deployment and inventory: “Most healthcare providers lack the visibility into the devices deployed in their network and the network topology themselves. The first step to formulating an effective strategy is to base it on an accurate inventory of devices and network configurations.”

Control rogue application and communications: “Inappropriate or unauthorized use of applications account for a large portion of security issues identified across connected medical devices. Applying contextual enforcement policies based on the individual device types can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.”

Develop strategies for top vulnerabilities and risks: “No two healthcare organizations are alike. Hence, every organization should assess their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans starting with their biggest exposure.”

Adopt of “micro-segmentation” of devices. This is a “sound practice of limiting lateral infection or movement and at the same time, enable efficient device management,” the report’s authors state. “By placing devices in Virtual LANs (VLANs), organizations can isolate like devices from other device types as well as easily identify and locate devices in the network. It can also simplify the process of bringing new devices online with a well-defined VLAN already in place.”