Healthcare information security

The Internet of Things in Healthcare

September 27, 2016 by Infosec

The Internet of Things (often referred to as IoT) is an exciting new development in connectivity and technology that is happening as you read this. Essentially, IoT allows our multitude of devices to “talk” to each other, creating levels of interaction that have the potential to transform our daily lives. Internet of Things applications in healthcare are particularly appealing because they can potentially help us diagnose, treat, and prevent illness or disease in much more efficient ways. Unfortunately with all this new connectivity, Internet of Things medical devices also have the potential to become another entryway for hackers and criminals to exploit.

What is the Internet of Things?

The Internet of Things is a revolutionary evolution in computing that is now possible thanks to a combination of faster processors, tiny sensors, wireless technology, and the ubiquity of smartphones. This has allowed manufacturers and other innovators to begin developing all kinds of devices that can collect, transmit, and share all kinds of data. So far we’ve seen wearable tech like FitBits that measure heart rates and count steps as well as “smart” refrigerators that alert you when you are out of milk.

That’s just the tip of the iceberg. It is estimated that by 2020 there will be more than 26 billion IoT devices, and some say there may be as many as 100 billion. Regardless of the actual number, these connected devices are set to transform nearly every industry and even the way our cities work. Imagine an IoT that allows traffic to move more efficiently, store energy, collect garbage, and even control pollution. The possibilities are truly limitless and IoT has the potential to affect us in ways we cannot yet even imagine.

What is IoT in Healthcare?

IoT in healthcare is certainly going to be an important aspect of this emerging technology. A report by predicts a $117 billion dollar market by 2020. It’s easy to see why: with Internet of Things-enabled devices, caregivers will be able to more efficiently monitor patients no matter where they are and have the information collected, stored, and sent anywhere. It will also hopefully slash costs as well.

Think of a hospital that is able to continuously keep an eye on every vital sign in between nursing rounds and automatically adjust machinery without human intervention. Or a doctor that is able to treat patients in remote locations without making a house call. Perhaps an elderly person’s house can have sensors that will alert paramedics if they fall down and can’t get up or have a heart attack. All these sensors and data streams also have the potential to help people live healthier lives, like a FitBit on steroids if you will.

IoT in Healthcare Challenges 

Like most new technologies, there are going to be a number of challenges in creating an Internet of Things for healthcare. Some of the main problems include efficient battery life, making sure there is enough power to run these devices, many of which may not be able to be plugged into a wall. Then there is the problem of IoT standards within the healthcare industry, which are currently being developed but still a ways off from implementation. All these devices and data streams are also going to need a friendly user interface to make it easy for both patients and healthcare providers to work with and interpret the information. Firmware, hardware, and software updates will need delivery protocols as well.

But perhaps one of the most crucial challenges in Internet of Things medical devices is their security and keeping them and the information they contain out of the hands of thieves. Hacking is already a concern in the IoT – in 2014, one of these “smart refrigerators” was compromised and caught sending out 750,000 spam emails. The same thing could potentially happen to a smart EKG or thermometer. Rapid7, an analytics and data security firm, made a case study about IoT baby monitors and found that many of the top manufacturers have products that can potentially be exploited by hackers.

In addition, we have discussed in other posts the rising menace of ransomware in healthcare. Imagine if you will a scenario where hackers have taken control of an array of lifesaving devices and disabled them until a fee is paid. When Hollywood Presbyterian was hacked and could not access medical records, they coughed up $17,000.

Then there is the danger of all this patient data being stolen and used for nefarious purposes or sold on the black market. Hacked medical records are already being used to create phony prescriptions or billing fraud and the billions of Internet of Things medical devices will potentially create as many new paths of access to this information.

How to Prevent IoT Hacking in Healthcare

In other words, there is a lot of potential misuse and abuse of IoT in healthcare and it’s going to take a concerted effort to keep everything attached to it safe. The good news is there are plenty of organizations, both federal and private, that are working together to create safety standards as well as detect and patch any weaknesses. (For example, a company called Bastille Networks is creating sensors that can identify RF threats to IoT in the corporate workspace.)

But the last line of security is likely going to be the individual, and it may simply boil down to common sense. For example, healthcare practitioners should not be allowed to use their personal IoT devices at work or at least not let them connect to the hospital’s secure network. In spite of convenience, IT departments should be wary of using cloud storage for data unless the provider is thoroughly vetted (our own study found 13.5% of cloud services used in healthcare to be high-risk). At the very least, all data going in and out of the cloud should be encrypted and strong passwords should be used on any and all devices.

And then there are good old spam email and phishing attacks, which is likely going to follow us as we transition into the IoT. A doctor or nurse in a hurry may mistakenly click on a link or attachment or enter a password or their credentials into a phony website, which could allow hackers access to a network and possibly infect Internet of Things medical devices that are connected to it.

This is why Infosec has created SecurityIQ, which contains PhishSIM and AwareED, two important components of educating and training employees on how to avoid being phished. These two products work in tandem: PhishSIM is a simulation program that can send out phony phishing emails to staff and monitor those that click on the link; AwareED is a series of exercises and videos that cover basic security concepts that will keep the workplace safe.

InfoSec offers a free account, which will allow you to send 100 phishing emails to 30 learners. This process is completely automated; those that fail the test and click on a link are directed to a short video explaining that they have been “hacked.” These employees can then be automatically enrolled in the AwareED program and their progress monitored.

IoT in healthcare is the future. It will certainly save countless numbers of lives and quite possibly lower costs. Making sure you and your staff are aware of both its potential as well as its vulnerabilities is paramount to its success.

Posted: September 27, 2016
View Profile