How to ensure data security while using IoT devices in the healthcare industry

May 11, 2020 Corporate Blog

by Katherine Shilova

The Internet of Things (IoT) stopped being just a future trend a while ago and has become the present. It is increasingly used within many industries to solve various problems like traffic lights control or advanced surgery. Possibilities of IoT are almost limitless, but it also has its flaws and risks, including those regarding data security.In this article, we will focus on the healthcare industry, outline the three main risks connected with using IoT within it, and suggest some possible solutions to them.

First risk: DNS rebinding attacks

Like most client devices, IoT devices use the domain name server (DNS) to connect to a remote server. Unlike client devices, IoT devices are designed to make a connection to a specific device in order to install software upgrades or to just check-in.

There’s a catch — a hacker can trick an IoT device into connecting to a malicious DNS and afterward force it to connect to undesired domains. Such an attack is called the DNS rebinding attack and its aim is to compromise the device and treat it as a relay point.

The bad news is that most smart devices are vulnerable to it, and many of these are used in the field of healthcare:

  • Wearables (like fitness bands or cuffs monitoring blood pressure)
  • Smart vaccine fridges (which prevent vaccines from spoiling and monitor them constantly)
  • Smart sensors (i.e. sensors that localize equipment in a hospital via Bluetooth or radiofrequency)

The vulnerability appears because IoT systems are produced using either weak or badly designed third-party network stacks, which are installed as part of the supply chain manufacturing process.

The result? Due to the lack of network expertise, device manufacturers might not know that this software is potentially dangerous until it’s too late to do anything about it.

There might be a cost-effective solution to this problem: integrating these devices into cyber-security monitoring products. Not only will it be much easier and cheaper than looking for new, attack-proof devices, but it will also protect data safety, which is the main concern nowadays.

healthcare

Second risk: Bodily harm (injury)

If software installed on an IoT device doesn’t work properly, it not only affects data security, but also human health and safety. Technology companies making such devices need to understand that flaws in design or during production and inappropriate product usage might result in a user’s or patient’s bodily injury or even death.

For example, a specific device might be responsible for sending patient-related data to medical staff in real-time. A software error like a delay in data transmission may lead to deterioration of the patient’s health due to a lack of knowledge about their actual status.

The second issue is the safety of the transmitted data. As mentioned, this is often overlooked due to a lack of awareness or because of other reasons, and such data must be heavily protected against attacks and other threats because of its sensitive nature.

Setting up a monitoring system might not be enough to deal with flawed designs and inappropriate product usage leading to injury, but it’s a good start. Regarding the safety of data transmission, there are some options: double-checking software, firewalls, two-step authentication or strong password encryption.

Third risk: Potential data leakage

Healthcare industry is one of the main targets of attacks by hackers, and that’s for two main reasons:
More and more personal data is stored by hospitals and other healthcare organizations electronically.
It’s an opportunity to gain access to expensive medical services or prescription drugs.

And while the rising popularity of IoT medical devices (IoMT) means better healthcare for us, it also poses a dangerous threat to our data safety. For now, these devices are often perceived as the weakest link in an IT network, and that’s because:

  • the software used to build them is outdated
  • they store vast amounts of sensitive, valuable information
  • they’re an easy point of entry for hackers.

The risk of such an attack is high and it may lead to the leakage or loss of personal data, alteration of medical information about medications, dosages, health conditions, etc.

It may be because technological advancements do not always go hand in hand with advancements in security. In other words, a device may be modern, but the software installed on it may be outdated.

For example, security gaps in Windows 2000 allowed for access to the directory of patient ultrasounds.

Now, let’s talk numbers.
Stolen personal data from hospitals and other healthcare organizations can be sold for up to $60 per record on the dark web. It’s obvious that hackers have high financial motivation for attacks and IoT devices make it even easier for them.

Data breach remedy costs per one health record are the highest among all industries, according to Ponemon’s Cost of Data Breach Study, and amount to more than $400 per record.

All these vulnerabilities may still exist, but it is important that all healthcare organizations have an advanced prevention security solution that’s able to detect harmful attacks and attempts to access IoT devices and exploit their vulnerabilities.

Conclusion

There is no doubt that IoT devices in healthcare come with benefits that cannot be neglected. They provide valuable data that can save lives, and efficient ways to manage it. However, data security can’t be overlooked. Awareness of vulnerabilities and of the serious effects of the exploitation of these vulnerabilities should be enough to properly secure transmitted and stored data.

The ultimate solution is network segmentation, which means separating patient data from the rest of the network. It should and will give the IT professionals working with the healthcare organization the confidence to provide IoT devices with additional security to network and data.

Once that’s implemented, the healthcare industry can operate without putting patient data and records at risk.