Thursday, April 25 2024

When Amazon launched as an online bookstore twenty-eight years ago, few would have imagined that patients could one day go to its website to treat their acid reflux. But times change. Amazon just expanded its virtual healthcare marketplace, Amazon Clinic. Across the U.S., customers can now consult with clinicians through virtual calls and get treatment for over 30 types of common health concerns.

It’s outstanding that you can get drops for pink eye without leaving your home, but Amazon’s new service underscores that healthcare technology opens up serious risks of IoT security in healthcare. What happens when the data platform housing your treatment history is exposed in a global breach? And what steps can be taken to prevent healthcare IoT security risks?? 

Health Sector Trends

Like Amazon Clinic, healthcare IoTs have resulted in enormous innovation. A 2021 NIH study even found that the use of this technology improved healthcare performance during the COVID-19 pandemic. 

Major Observations on Medical IoT Security

The pandemic had the effect of making the health sector a target. As Check Point, a cybersecurity solutions provider, found in a report, the healthcare sector saw a 69% increase in cyberattacks from 2021 to 2022. This was the highest increase of all the sectors. 

A joint report recently released by Health-ISAC, Finite State, and Securin came to similar conclusions. It examined the state of healthcare systems and medical devices’ IoT security in 2023. The report analyzed credible public disclosures of medical IoT security vulnerabilities, covering 117 medical application vendors and 966 products. 993 vulnerabilities were found in 2023, with 160 of them weaponized. This is a 59% increase from 2022, with 624 total healthcare IoT vulnerabilities found in that year. 

Cyber Incidents by Category and Product: Health-ISAC, Finite State, and Securin Report 

Software applications accounted for 64% of the healthcare IoT vulnerabilities found in the joint report, with over 600 total incidents. In the health sector, these applications are indispensable for patients since medical devices like infusion pumps rely on them. Software applications are also used for scheduling and record-keeping, which makes a possible cyberattack all the more destructive. 

Hardware, like computers or life support machines, distantly followed at 269 incidents (27%). Operating systems only saw 93 incidents (9%). Nevertheless, vulnerabilities here seriously compromise patient outcomes, cause operational disruptions, and result in non-compliance with data protection regulations. 

According to the report, healthcare IT, such as electronic health records and database management, made up 741 IoT vulnerabilities in healthcare. Spread across 538 products, these vulnerabilities cause serious concerns over patient privacy and sensitive medical data. Data encryption and strict access controls can mitigate some of these healthcare IoT risks. 

Moderate-risk medical devices, such as CT scanners or anesthesia monitoring, came in second at 292 vulnerabilities, according to the joint report. 129 of those vulnerabilities were attributed to medical monitoring/telemetry devices like blood pressure monitors. While just two vulnerabilities were reported for life-saving devices, the report noted that ransomware poses an increasing threat to healthcare providers. The findings mirror a July EU report on cyber threats in the health sector, which found that ransomware made up 54% of all cyber incidents reported by EU member states and neighbors.

Pivotal Events

The MOVEit Breach

The global MOVEit cyberattack linked to Russian cybercrime group Cl0p is a noteworthy example of these medical breaches. In the U.S., the incident impacted federal government agencies, state agencies, education institutions, and private companies, among other victims. As the full extent of the cyberattack becomes clearer, new exploitations have come to light. 

PH Tech, a provider of data management services to health insurers, released a notice confirming that the incident impacted them. A hacker used the corrupted MOVEit software to access files consisting of personal information and some private health records. This includes member ID numbers, social security numbers, and claim information. 

Following the incident, the Oregon Health Authority issued a bulletin stating that members of the Oregon Health Plan, which uses PH Tech, were among those affected by the breach, totaling 1.7 million people.

The Illumina Recall

Another serious incident came in April when a critical vulnerability affecting the universal copy service in Illumina sequencing instruments prompted the U.S. Food and Drug Administration to issue a class 2 recall of the DNA genetic testing instruments.

While no known exploitations occurred, the vulnerability could have allowed a threat actor to take control remotely, alter settings and configurations, breach data, or even impact genomic data results. That last possibility would have been catastrophic to patients relying on those results for medical treatment, conjuring up images of the Theranos scam. Illumina developed a software patch to solve the problem. 

The Cybersecurity and Infrastructure Security Agency became involved once Illumina reported its vulnerabilities to the agency. It released an advisory of its own, recommending that users minimize network exposure for all control systems or hackable medical devices, isolate remote devices behind firewalls from business networks, and use VPNs.  

Government Action: Strengthening Healthcare IoT Security

New FDA Guidance on Securing Hackable Medical Devices

A key government action was seen in late March when the FDA published new guidance that requires medical device makers to meet certain cybersecurity requirements when submitting new product applications. Companies are to submit a plan detailing their monitoring plans for cybersecurity incidents; maintain a reasonable level of cybersecurity by offering updates and software patches after release; and provide a software bill of materials. 

The White House and Congress Ensuring Medical Device IoT Security

A Biden administration initiative could have an even greater impact on healthcare IoT security. The Federal Communication Commission’s cybersecurity labeling proposal would apply a cybersecurity safety logo to devices that meet standards defined by the National Institute of Standards and Technology. Devices include smart refrigerators or thermostats, but also glucose monitors or pacemakers. The goal here is to provide more consumer transparency to help people choose products better secured from cyberattacks. The program also provides incentives for companies to improve their cybersecurity practices since labeled products are likely more marketable. 

Congress is playing a role in the push to secure IoT devices as well. For example, Congresswoman and founder of the House IoT Caucus, Suzan DelBene (D-WA),  introduced the IoT Readiness Act of 2023 in February. The act would require the FCC to track data on the use of IoT devices to identify the level of electromagnetic spectrum required to meet the demand generated by such use. The FCC would also have to submit reports on this data to Congress every two years. 

The Path Forward 

Healthcare IoT devices have revolutionized patient outcomes and have the potential to significantly advance the monitoring, diagnosis, and treatment processes across the health sector. However, they are especially susceptible to exploitation in this environment. The impacts of cyber incidents are no more profound than here since patients rely on life-supporting medical treatment and confidentiality. The path forward requires a diverse approach, with special attention to the growing ransomware threat. Companies will bolster their threat intelligence practices and regularly update software; government agencies will issue apt guidelines and regulations; and the public will become more informed consumers.
Explore Ciso-Stack for more in-depth insights, practical tips, and expert interviews on the latest cyber threats. Strengthen your digital defenses with us – read more now!


NIST Updates Cybersecurity Framework in New Draft, Seeks Public Comment


Partner One Acquires Key Fidelis Cybersecurity Assets

Check Also


Don’t Miss

The words Endpoint Detection and Response (EDR) on a green background with lines on the right side of the image

Best Endpoint Detection & Response Platforms

Lara Oporto

Endpoint Detection & Response platforms continuously monitor endpoints for signs of malicious activities, such as unauthorized access or unusual behavior, enabling rapid detection and response to potential cyber threats to safeguard organizational assets. What is Endpoint Detection and Response and how does it work? Endpoint Detection and Response (EDR) is a cornerstone in modern cybersecurity […]

AT&T AlienVault Products Review: OSSIM vs USM

Ellie Buscemi

AlienVault is now the technological basis for AT&T AlienLabs and provides multiple products for different companies’ cybersecurity needs. What AT&T AlienVault Products are Available? In December 2021, CISOstack reported that AT&T intended to acquire AlienVault to expand its cybersecurity offerings to more businesses. Two years later, AlienVault-based offerings make up a large portion of AT&T’s […]

Photo by Simon Kadula on Unsplash.

Navigating Manufacturing IIoT Cybersecurity Challenges

John Powers

Guarding the Gears: Government policy and industry collaboration to mitigate cyberthreats to manufacturers. The smart factory is on the rise. Production lines equipped with advanced sensors can monitor equipment health in real-time and predict potential issues before they disrupt operations. Temperature and humidity sensors can ensure the optimal environment for delicate manufacturing processes. RFID-enabled asset […]

Best Microsegmentation Software

Ellie Buscemi

Microsegmentation allows a company to divide digital assets into smaller, more secure groups, which makes it harder for cybercriminals to take over a company’s data center. What is Microsegmentation? Microsegmentation refers to cyber professionals building layers of cybersecurity protection between groups of digital assets or individual cyber assets. Adding these layers inside instead of only […]

Best Breach and Attack Simulation Platforms

Ellie Buscemi

Breach and attack simulation (BAS) platforms allow companies to see weaknesses in their cyber infrastructures before a malicious hacker can exploit them. What Is BAS – Breach and Attack Simulation? Breach and attack simulation (BAS) is an approach to cybersecurity that uses advanced tools to imitate the attacks used by cybercriminals on companies’ digital infrastructure. […]

Ofer Ben-Noon and Ohad Bobrov

Palo Alto Networks to Acquire Talon

Ellie Buscemi

On Monday, Palo Alto Networks agreed to acquire Israeli startup Talon Cyber Security, an enterprise browser platform. The deal values Talon at between $600 to $700 million, according to The Information. Palo Alto will integrate Talon’s enterprise browser solution into its Prisma SASE product. The acquisition comes among a wave of acquisitions and releases involving […]