Six years ago on a TV show called “Homeland,” a fictitious U.S. vice president had his pacemaker hacked. It was riveting television but seemed too far removed from reality.
Former Vice President Dick Cheney certainly didn’t think so. A year later, concerned about reports that attackers could hack such devices and kill their owners, he instructed his doctors to disable his pacemaker’s wireless capabilities.
The fact that many of these IoT devices incorporate embedded software from a multitude of suppliers of uncertain provenance adds to their vulnerability.
Hackers target hospitals
The Food and Drug Administration last year recalled 465,000 pacemakers because of security vulnerabilities.
And the list of IoT-based equipment that can be hacked has expanded to include remotely managed defibrillators, glucometers, drug-administration devices, infusion pumps and blood-pressure-measurement devices.
These patient-centric vulnerabilities, meanwhile, are just a small part of the troublesome cybersecurity story within the healthcare industry.
Most common are hospital ransomware attacks that, among other things, block access to patient medical records, clouding important considerations such as which medications to administer or whether a patient is allergic to a drug.
Sometimes, hackers take down the entire system, which could be fatal if a patient is hooked up to a breathing machine or at a critical juncture in surgery.
Hospital-data breaches accounted for about 30 percent of reported large data-security incidents from 2009 through 2016, a study recently published in the American Journal of Managed Care shows. Two hundred fifteen breaches affected at least 500 people or more during this period, and 30 hospitals had multiple breaches.
IoT and VC investment in healthcare cyber
The opportunity to help the healthcare community cope with this threat and the others is not lost on the venture community.
Last year, venture funding in U.S.-based IoT startups addressing various industries, including healthcare, reached a record $1.46 billion, according to Crunchbase, up 42 percent from $1 billion the previous year, and more than triple the $462 million invested in 2013.
The healthcare IoT market alone is poised to become a multibillion-dollar market by 2020, according to MarketResearch.com.
Strategies for improving healthcare cybersecurity
Meantime, best practices can be applied to mitigate risks to healthcare providers and recipients.
Most important is that healthcare providers make excellent IoT-purchasing decisions as part of their organizational strategy since patients cannot demand that specific devices be used in their therapy. Once devices are purchased, security tech is difficult to retrofit and hospitals are loathe to spend twice to replace them.
Before purchasing medical devices, healthcare providers must assess the extent to which the manufacturers’ documents address security concerns — bearing in mind that while the equipment may be regulatory-compliant, it still might not be secure. Whatever security is offered should also be deeply tested, and major testing failures should be considered product flaws.
Healthcare-organization buyers should also ensure that the software within devices can be upgraded relatively easily and quickly.
A vulnerability in a device that cannot be updated can never be remediated. Organizations should weigh how the device is maintained post-manufacture, when minor vulnerabilities typically appear. Service-level agreements for describing the time frame to resolve vulnerabilities should also be in place.
In addition, hospitals must address the quality of their overall security posture.
For starters, healthcare organizations must ensure that their software patching and update processes are fast and thorough.
As much as possible, organizations also need to use threat intelligence and automation, and they must institute cyberawareness-training programs for staff to protect against social-media attacks and other hostile vectors.
They must document data flows and then use that information to partition their networks into defensible segments and block unneeded traffic with firewalls. Most of these network segments also must be isolated from the internet.
Then, too, healthcare organizations must develop more insight throughout the network, and they must do a better job protecting patient data.
A solution to this may well be homomorphic encryption, which enables an organization to query and analyze its data while the data is encrypted. This materially reduces the risk that the data will be exposed.
Reputation, trust and safety of healthcare organizations at risk
Healthcare-technology executives must step up to the plate and broadly, and then in detail, rethink the current state of their systems’ security.
It is the duty of healthcare providers, device manufacturers, software developers and the healthcare industry as a whole to build a thorough defense against threats.
At stake is no less than the reputation, trust and safety of healthcare organizations and the privacy and safety of their patients.
Robert Ackerman Jr is founder and a managing director of AllegisCyber, a cybersecurity-focused venture firm with offices in Palo Alto California, and Fulton, Maryland, and DataTribe, a startup studio focused on cybersecurity and data science. Reach him at [email protected]