Rise in remote care puts medical equipment at risk of cyber attacks

John Grimm, Vice President of Strategy and Business Development at Entrust, shares his advice on how health organisations can minimise the chances of a security breach at a time when resources are stretched more than ever

The COVID-19 pandemic and subsequent lockdown have been the catalyst for an unprecedented global transition to remote care and telehealth methods, accelerating the adoption of Internet of Things (IoT) enabled devices for treatment and evaluation. The rapid pace of adoption to simply maintain some level of care and treatment may have brought about unknown digital threats that could threaten Britain’s most vulnerable people.

As governments advise against face-to-face consultation and medical centres only accept the most urgent of cases technology is stepping into the gap. A study by McKinsey highlighted a 65% surge in healthcare providers interested in offering telehealth options going forward^[1] in the form of virtual consultations and/or connected devices – and it seems likely that these technologies will become a permanent fixture in healthcare.

Use of connected IoT devices has been rising, with 24% of patients in an Ipsos Mori study^[2] reporting they were currently using an IoT device or had used one in the past. Healthcare providers are now investing heavily in connected devices from implanted insulin pumps to wearable technology for remote heart rate monitoring. monitor heart rates remotely. Deloitte projects the connected medical device industry to be worth over $158b by 2022, compared to only $41b in 2017^[3].

On the surface this appears to be a success story for technology, tackling short term and long-standing difficulties of administering health care to a growing population. However, there are clear gaps in security of IoT devices.  Personal information could be misused or stolen by malicious actors through compromised, vulnerable devices, used for spying or as part of a botnet. The proliferation of this technology in healthcare, however, has brought the physical safety of users under the same scrutiny.

Entrust’s 2020 PKI and IoT Trends Study of nearly 2000 surveyed IT security professionals from around the world found that over two-thirds (68%) of IT security professionals rank “altering the function of a device” as the greatest threat to IoT devices^[4]. Over half (52%), supplemented this with the concern that devices could be compromised and remotely controlled by malicious actors. In terms of the medicinal world, this could mean the hijacking of insulin pumps around the world or the disruption of caregiving facilities to damage national infrastructure. The effects of those cyber attacks could cripple national medical facilities and put thousands, if not millions, of people at risk of serious bodily harm.

The majority of respondents in Entrust’s survey ranked the countermeasures to these security threats as the least important to IoT security. A mismatch of priorities like this contributes to the overall security concerns of the incredible pace of IoT device deployment as there could be gaps in security caused by the disparity between threat and countermeasure.

The healthcare sector is often at the heart of concerted cyber attacks, such as the “WannaCry” ransomware attacks on the NHS in 2017^[5], as providers are often operating with older equipment and are under incredible operational stresses. The 2017 attack paralysed the NHS and brought a national system to its knees overnight; prompting a £50m emergency spend from the government to remedy the most vulnerable departments of the NHS and further £150m promised until 2020. Such an attack is made more likely by the security measures already in place that recent inquiries have deemed at risk due to a variety of vulnerabilities that, if not remedied, could lead to a repeat of 2017 levels of disruption.

A recent study into the security capabilities of the wider healthcare industry concerningly highlighted the assortment of vulnerabilities that care providers are currently facing. From terminals and equipment running unsupported versions of Windows to a lack of mobile security has led to a third (33%) of organisations reporting they had suffered a security incident due to mobile devices in 2018^[6]. A greater concern, however, is the 0.4% of devices that are totally unprotected^[7] due to an unsupported OS or being manufactured before providers fully understood the cybersecurity challenges. Although a small percentage numerically, these devices are often the most important in a medical providers network and it is projected that this number will not change without drastic financial investment, indicating a continued security vulnerability in the future. Any device whose software cannot be updated poses a significant risk, as vulnerabilities are constantly discovered and the ability to install security patches is vital to device lifecycle security and patient safety.

When the health and wellbeing of the public is at risk, healthcare providers must act quickly and decisively to combat cybersecurity dangers. However, it would seem the IT security community simultaneously remains concerned and is contributing to the situation with such a clear mismatch between perceived digital threats and what can be done to halt them. As the world moves forward into a post-pandemic period of medicine and technology becomes an accepted part of the treatment procedure; the industry and security community must work together to keep the most vulnerable safe.

^[1] McKinsey – TeleHealth: A quarter-trillion-dollar post-COVID-19 reality?

^[2] Ipsos – Connected Device Report

^[3] Deloitte – IOMT Report

^[4] Entrust – 2020 Global PKI and IoT Trend Report

^[5] House of Commons Committee of Public Accounts – Cyber-attack on the NHS

^[6] ForeScout – The Enterprise of Things Security Report 2020

^[7] ForeScout – Connected Medical Device Security