Things can only get better, so the song by D:Ream assured us back in 1994. Last year, speaking on Charlie Brooker’s 2016 Wipe TV show, the D:Ream keyboard player at the time and now celebrity physicist, Professor Brian Cox said it was one of the “most misleading and scientifically inaccurate pop songs that’s ever been written.”
I mention this only because I think there should be a remix entitled Internet of Things security can only get better; not least as they surely can’t get any worse.
Just look at where the NHS is with regards to cyber security currently. Freedom of information request driven research carried out at the start of the year has revealed that NHS attacks have more than quadrupled across the past four years while security spending by trusts has remained pretty much the same.
Attacks have quadrupled but security budgets remained static
I’m sure that Brian Cox would point us in the direction of Newton’s third law: for every action, there is an equal and opposite reaction. The lack of any momentum in security budgets has directly led to the increase in successful attacks.
Take ransomware, seeing as that remains front and centre of the healthcare security debate since WannaCry proved so devastating. The same research found that (not counting unsuccessful attempts, phishing attempts or the WannaCry incident) the number of attacks had risen from 1,565 reported cases to 7,178 in the same time period.
Ransomware attacks scattergun: IOT attacks highly targeted
What does all this have to do with the Internet of Things you might be thinking, and the correct answer is everything. Pretty much all of that rise in ransomware was courtesy of a scattergun approach to threat distribution, with the NHS suffering as part of the collateral damage.
Pretty much all of it could have been avoided with better staff training and better application of enterprise security basics. Jump to the Internet of Things threat and most everything is flipped onto its head: attacks are highly targeted, staff training cannot help and even many of the security basics do not apply or rather cannot be applied.
Introduction of IOT to hospital ecosystems increases vulnerabilities
The European Union Agency for Network and Internet Security (ENISA) has made it quite clear in the ‘Smart Hospitals: Security and Resilience for Smart Health Service and Infrastructures’ report that “the introduction of Internet of Things (IoT) components in the hospital ecosystem, increases the attack vector rendering hospitals even more vulnerable to cyber-attacks.”
The reasons it gives are as varied as they are worrying. That such healthcare IoT solutions are usually “chosen for their low cost and specific capabilities” is right at the top of the security concerns chart. Especially when, as ENISA says “IoT devices are highly interconnected… consequently, security decisions made locally for a specific device can have global impacts.”
Enterprise security basics such as network separation have not found a way to protect this environment, one assumes for reasons of cost and/or impact upon functionality and so the patient care bottom line.
Security gaps opening up as medical devices networked
Yet when you understand that many of these medical devices were never intended to be networked, and such functionality has often been bolted on at a later date, it’s almost inevitable that security gaps are going open up; chasms in many cases.
The ENISA report blames many of the systemic failings of IoT security throughout healthcare on design that is driven by an ‘intended use’ case scenario. This assumes that a reasonable person is operating the device, not a criminal hacker whose intentions and actions are far from reasonable. It’s a base posture that can only lead to chaos, and indeed has.
Threat of patient care hardware being held hostage
Criminals are actively targeting MRI machines, CT scanners, dialysis and drug pumps, in fact anything within the Internet of Medical Things ecosystem that might provide an opportunity to exploit. Be that through an as yet untapped form of ransomware, holding patient care hardware as hostage, or as a means to hop onto the healthcare network from where other vulnerabilities can be exploited to exfiltrate data. Internet of Things devices are even being harvested into botnets that can be used to launch DDoS attacks.
In the rush to implement time-saving, money-saving and often remote or mobile patient care solutions, it seems that security has simply been sacrificed along the way. So what needs to change? At the risk of repeating myself, the answer once more is everything.
Investment in Medical IOT security urgently needed
ENISA recommends that the NHS should provide “specific IT security requirements for IoT components” and only implement “state of the art security measures.” Both of which will cost money, and we already know there is little appetite for increased security spending from NHS trusts.
ENISA goes on to state that device manufacturers themselves “should incorporate security into existing quality assurance systems” and involve healthcare organisations “when designing systems and services.” Great in principle, but again unlikely to happen; because cost.
Most legacy IOT devices cannot be patched
Building better security into IoT devices is often not possible simply because it raises the cost per unit, and low cost will sadly always trump high security when the purchase orders are being raised. Incorporating better security into existing products is also unlikely, as most of the legacy IoT devices out there cannot be patched.
They can, maybe, be upgraded to a later model with improved security but that then bumps heads with the budget once more. Persuading vendors that their maintenance programs should include taking care of security upgrades will be a challenge, albeit one that I think must be attempted.
Medical devices must have security designed in from ground-up
I have said it before, and I will say it again: a complex conversation regarding healthcare security is long overdue. Until medical devices have security baked into software from the design process up, and some kind of accepted standardisation for secure data exchange between them and health information systems exists, the Internet of Medical Things is in danger of becoming the Android marketplace of healthcare hardware. Dangerously fragmented and, in the absence of any legislative incentive, dangerously apathetic to the risk it represents.