Sepio | Blog

IoT Healthcare Devices and The Lack of Physical Layer Visibility

IoT Healthcare Devices

The healthcare industry performs the most critical, complex and data sensitive operations out of all business sectors. Moreover, the healthcare ecosystem is vast – made up of hospitals, pharmacies, laboratories, patients and health insurance, to name a few. As such, the information handled within the healthcare industry is expansive and, coupled with the nature of it, highly unique.

Today, most developed countries are transitioning their healthcare system from that of a paper-based system to an electronic one. Thus, the healthcare industry is more heavily relying on technology, especially Internet of Things (IoT) devices. Much of the apparatus being used in hospitals is now internet-connected, and a considerable amount is vital to patients’ well-being, such as heart monitors and infusion pumps. Other aspects of the healthcare industry also rely on IoT devices to advance the overall performance of the sector, including patient records, laboratory results and radiology equipment. Hence, data integration, patient engagement and clinical support are all facilitated by this electronic shift.

Advantages of IoT Healthcare Devices in healthcare sector

As mentioned, the use of IoT devices in healthcare brings about numerous benefits. Notably, IoT improves operational efficiency across a range of domains. Crucially, these devices enable interoperability and machine-to-machine communication, thus facilitating a smoother flow of information exchange and data movement. With this, patient care workflow can be automated, and human efforts and capabilities can be better used elsewhere. Furthermore, the capabilities of IoT devices reduces human errors and eliminates many decision-making delays.

Crucially, IoT devices can speed up crisis responses. With real-time monitoring, the diagnosis process is much swifter, and this can help make well-versed decisions and provide on-time treatment which is vital in critical situations – of which many healthcare related incidents are.

For the patient, IoT devices undoubtedly improve the experience and care being received. By enhancing telemedicine – the use of electronic communications to provide clinical services to the patient without a face-to-face visit – IoT brings numerous advantages to the consumer. Importantly, there is less time away from work since the service can be conducted anywhere. For those with child-care responsibilities, telemedicine greatly reduces the interruptions that traditional clinical services can bring.

Moreover, telemedicine allows consumers to avoid coming into contact with potentially contagious patients at the healthcare facility. With telemedicine reducing the number of missed and cancelled appointments, the patient benefits from fewer delays that are usually experienced when it comes to doctor’s appointments. We all know the feeling of sitting in the waiting room at least thirty minutes after the scheduled appointment, still unattended to.

IoT also feeds into the modern societal need for instantaneous actions. With almost everything accessible immediately, IoT devices can accommodate this in the medical field by providing real-time information not only to the physicians, but also to the patient.

In reality using IoT devices in healthcare is challenging

However, despite the benefits that IoT seemingly brings to the healthcare sector, there are a plethora of security challenges with using IoT in healthcare settings. Since healthcare providers perform the most crucial and elaborate operations, there is a need for highly sensitive data to be accessed, especially personal health information (PHI). In 2017, around 30% of US healthcare providers were using IoT for sensitive data and this number is only increasing. PHI is extremely attractive to attackers since it can sell for almost 300x the amount of personally identifiable information (PII), thus making the healthcare industry the number one target.

With greater numbers of IoT devices in use, the more entry points for an attack – either to obtain the information on the infiltrated device, or to move laterally throughout the organization once connected to the network simply by targeting just one device. Furthermore, the increased reliance on the supply chain within the healthcare industry is only enhancing the risk to cybersecurity vis-à-vis IoT since many suppliers will likely also use this technology. Hence, there are an even greater number of entry points to the intended target, ultimately increasing the need for adequate healthcare IoT security.

Attackers can conduct a data breach whereby PHI is stolen and sold on the dark web, or they might use the stolen information to create fake IDs to buy drugs and medical equipment, both of which can be sold. This is the greatest concern for around 40% of healthcare providers. For those who are more malicious, they might attempt to control the IoT devices themselves which can have fatal consequences if successful. This threat to patient safety is a major risk to the healthcare industry.

The use of IoT within the healthcare sector is seriously dangerous since cybersecurity is often viewed as a hindrance to operations. With patient care at the forefront of concerns, cybersecurity measures often slow down productivity, and in an industry that so often conducts time-sensitive operations, every second is vital. As such, by focusing on patient care, cybersecurity investments are forgone. With this as the industry culture, it is therefore understandable why employees have such a lack of awareness surrounding cyber risks and the various actions they can take to enhance cybersecurity. Hence, the healthcare industry is highly vulnerable when utilizing IoT devices.

How to #BeCyberSmart

What measures can both the industry and consumers take in order to #BeCyberSmart? Importantly, the cybersecurity culture within the industry, as a whole, needs to be enhanced. Through education and training days, staff will need to have increased awareness regarding IoT security vulnerabilities and risks. However, reliance on staff is most definitely not sufficient.

Other measures that should be implemented include enhanced authentication such as multi-factor and/or biometric authentication to reduce the chances of a bad actor gaining access to sensitive data. Furthermore, the principle of least privilege will greatly benefit the cybersecurity posture of the industry. By only being able to access the necessary information required to conduct an activity, there will be fewer individuals who have access to highly sensitive data. Again, these measures alone are not sufficient and need to be supported by cybersecurity software that can detect if an attack is taking place. Regular security audits should be carried out in order to guarantee the efficacy of such software.

For the patient, it would be a good idea to limit the information being provided. Of course, when it comes to healthcare this can be challenging, but really consider whether the information that you are giving to your doctor is of utmost importance. Furthermore, avoid using healthcare services that rely on IoT devices if possible. When contemplating if you should engage in telemedicine services, ponder whether it really is such an inconvenience to visit your doctor face-to-face. If you are able to, then it might be better to do so.

Ultimately, with the increasing use of IoT devices, organizations are having a difficult time keeping up with what healthcare devices are connected to their infrastructure. This is extremely dangerous from a cybersecurity aspect as it increases the chances of a successful hardware attack. Sepio Solutions provides enterprises with full visibility to whatever is connected to the infrastructure and uncovers hidden hardware attacks operating over network and USB interfaces.

Physical Layer Fingerprinting 

As the only company in the world to undertake Physical Layer fingerprinting, Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged. With this total visibility, a stronger cybersecurity posture is achieved. There is no longer a need to rely on manual reporting, legacy inventory reports and employee compliance to determine if there is a vulnerable device installed by a malicious actor. Sepio Systems now provides answers to questions such as:

  • Do we have an implant or spoofed device in our network?
  • How many IoT devices do we have?
  • Who are the top 5 vendors for devices found in our network?
  • Where are the most vulnerable switches in our network?

Having visibility across all IT assets provides the organization with a more comprehensive cybersecurity defense and can greatly reduce the risk of compromising hardware in healthcare or PHI being stolen.

With so much of our information already online that we willingly put out there, attackers can easily determine where we like to hang out, what we like to eat, what music we like to listen to, and do damage with this information. Do we really need them to know what we aren’t advertising to our social media followers?

October 19th, 2020