Healthcare is among the best reasons for Internet of Things adoption. But IoT security problems can create science-fiction-like damage scenarios. Experts advise how IT can keep medical IoT devices safe, and what to do if an attack hits.

Healthcare has been transformed by IoT—for the better. Connected medical devices help improve people’s health in many ways, such as allowing doctors to adjust implanted devices without resorting to dangerous invasive procedures, transmitting vital medical data remotely, performing real-time patient monitoring in intensive care units, and much more.

But with those rewards come risks. Medical IoT devices also present significant potential security hazards, and they’re getting worse. Consider the following:

This article looks at why medical IoT devices are insecure, examines how widespread the problem is and the potential consequences, and offers advice from experts on how to secure these useful devices against attack.

Medical IoT devices: Insecure from birth

You might think that Internet-connected devices such as insulin pumps and X-ray machines would be among the most secure of IoT devices because of the obvious potential dangers of them being hacked. But experts warn that these are among the most vulnerable—more insecure than garden-variety PCs, servers, and other business hardware.

Mike Nelson, vice president of healthcare and transportation for security firm Digicert, says one reason for the vulnerabilities is that many connected medical devices were manufactured five, 10, and 15 years ago, without security planned in. “Many have only very basic levels of security, if at all,” he says.

Manufacturers haven’t devoted many resources to device security. “It’s shocking some of the insecure systems we see being used,” Nelson says. Many of those devices use old, unsupported operating systems that don’t get patched. Others use Windows XP or even older versions of Windows, which are insecure and don’t get regular security updates.

Healthcare is changing. Our latest report shows you how. Get the Healthcare.nxt Report

Compounding the problem is that medical IoT devices typically require controllers, which are usually PCs or PC-based, says Jon Clay, director of global threat communications at Trend Micro. “Healthcare practitioners tell me that they often cannot patch these systems themselves—if they do, that voids their warranties,” Clay adds. “It’s a real problem when manufacturers aren’t responsive or are slow to issue security patches.”

Manufacturers sometimes put restrictions on putting third-party antivirus software on the devices, points out Thomas August, chief information security officer at John Muir Health, a network of more than 1,000 primary care and specialty physicians, with medical centers in Concord and Walnut Creek, Calif. And often, he adds, “the PC and the device itself don’t use encryption, which makes them vulnerable.”

Making things worse: The federal government has been slow to confront the problem. The FDA oversees medical devices and offers suggested security guidelines for them, but those guidelines are inadequate, says August.

“The FDA certifies the device itself, but not the controllers, protocols, and cloud access the devices use,” he says. “So the oversight falls short.”

How and why they’re hacked

Clearly, medical devices are tempting targets. But why bother attacking them? Security experts say the IoT device is a way to breach the defenses of healthcare systems. Typically, hackers aren’t interested in manipulating the medical devices. Instead, they break into them to get onto a healthcare system’s network, from which they can attack or steal valuable information, or plant ransomware.

“Medical devices are low-hanging fruit. They’re used as stepping-stones to gain access to electronic medical records, which on the black market are worth at least 20 times more than a credit card record because they contain much more information,” says Dr. May Wang, CTO of ZingBox.

Wang’s estimate is backed up by a report from the Healthcare Information and Management Systems Society (HIMSS), which found that a stolen health record can be sold for $50, compared with $3 for a Social Security number and $1.50 for a credit card number.

The most common form of attack on medical devices is used to place ransomware on a hospital network, she adds, an increasingly common problem. A study by Osterman Research for Malwarebytes found that the healthcare industry has been among the hardest hit by ransomware attacks. The global WannaCry ransomware hack, for example, attacked 40 hospitals in the U.K. alone. That attack also hit medical devices using embedded versions of Windows XP.

Not uncommonly, hackers don’t even know when they’re targeting an IoT medical device instead of a PC. The hackers use a scanning tool that finds exposed devices of any kind and might not know much more than the device’s IP address.

Trend Micro’s Clay says the result is that medical IoT devices are often merely collateral damage in an attack. “Many attacks have a worm component in them, and that worm is just going to find an IP address. If it has an operating system that it can exploit, it will do so,” he says. And given that many medical devices either use Windows XP or have an attached Windows XP controller, they’re vulnerable to malware.

The Homeland nightmare scenario

The biggest medical IoT nightmare is the hack of a device that can harm or kill a patient. Such a scenario was portrayed in an episode of the TV show "Homeland," in which the vice president was assassinated by someone who hacked his pacemaker and induced a heart attack.

Is this scenario real or fantasy?

It’s more real than you might imagine, say experts, although it hasn’t happened yet. Former Vice President Dick Cheney’s doctor was worried enough about such an attack that he recommended the wireless capabilities of Cheney’s heart defibrillator be turned off. Cheney followed the advice.

There’s plenty of evidence that medical devices can be hacked and remotely controlled by attackers, with potentially devastating results. As noted, Johnson & Johnson last year warned patients that its insulin pumps could be broken into and a hacker could exploit a security hole in the device to overdose them with insulin. And ZingBox’s Wang says her company has hacked into insulin pumps and IV pumps in its labs and changed drug dosages.

“If you changed doses to an extreme level, it could kill people,” Wang says.

There’s been no evidence that anything like that has yet happened. And it may never. William Hudson, vice president of IT operations at John Muir Health, notes that medical IoT attacks have a financial basis: either ransomware or stealing and selling medical records. He believes the reason no one has hacked a device and then harmed a patient is “there’s not a direct line to a payout—no way to make money from doing it. And if you start harming people, you’ll get the FBI involved, you’ll get the Department of Homeland Security involved, and that’s the kind of attention that hackers don’t want.”

Manufacturers get serious about medical IoT device security

Given all the dangers, what can be done to protect medical IoT devices? The onus falls on both manufacturers to improve device security and on CIOs and IT to do a better job of protecting the devices once they’re deployed.

There are signs that manufacturers now recognize they need to treat security more seriously. Digicert’s Nelson says, “I’ve watched a lot of the large device manufacturers ramp up their cybersecurity teams. As of three years ago, some of them were as robust as zero. But they’re now putting into place security checks.”

More evidence of manufacturers taking security seriously comes from Dr. Dale Nordenberg, executive director of the Medical Device Innovation, Safety and Security Consortium (MDISS). Founded in 2010, MDISS is funded by the cybersecurity division of the U.S. Department of Homeland Security. It helps manufacturers perform device risk assessments, share risk data, and make sure devices are hardened against attacks.

Nordenberg says key to improving device security is having manufacturers share data about cyberattacks, threats, and risks. That way, evidence-based solutions can be crafted using the widest range of information available.

Initially, Nordenberg says, it was difficult to get manufacturers to share that data, “due to concerns about liability and reputation.” But in the past two years, he says, “a consensus has been building that there are serious cybersecurity risks associated with medical devices and the delivery of patient care.”

As a result, Nordenberg says, a substantial amount of attack data is being shared: “We are now on the way towards establishing evidence-based best practices around cybersecurity for medical devices.”

What CIOs, CSOs, and IT can do

Safer devices will go only so far toward keeping medical IoT devices secure. The bulk of the work needs to come from the healthcare organizations that use them.

ZingBox’s Wang says healthcare facilities need to address an organizational issue before they can solve the problem. Often, she says, medical devices aren’t under the purview of the IT department. Instead, they’re handled by a different group, sometimes called the "biomed team" or "clinical engineering," where the personnel often don’t have a deep background in security. Wang says all connected devices, whether medical or traditional IT hardware, should be managed by a single department with security expertise. Only that way can a security plan be put into place to protect them all, including software that can automatically find every device on the network.

Digicert’s Nelson adds that the use of encryption and public-key infrastructure (PKI) authentication can go a long way toward stopping attacks. With PKI, before a medical device can connect to another device and transmit or receive information, authentication is performed to ensure both devices are trusted—in other words, they’re not hackers, bots, or malicious servers.

Perhaps the best advice comes from someone on the front lines of medical attacks. At John Muir’s facilities, August segmented medical devices onto their own network, provided special protections for them there, and ensured that if the devices are hacked, the attack can’t jump from that segment to the larger network. In that way, medical records, for example, remain secure even if a medical IoT device is compromised.

In addition, August deployed “honeypots” to attract attackers that may break into the segmented network. Doing so gives him early warning that an attack is underway so he can take measures to counter it. In addition, he uses filtering rules and DNS controls to prevent any communication between medical devices and botnet controllers or other external threats.

August also plays hardball with manufacturers to force them to build cybersecurity into their devices. “We’ve implemented strict contractual cybersecurity terms with our vendors. We let them know that if they violate those terms, we will be reporting that to both the FDA and the FBI,” he says.

Finally, August says the healthcare industry needs to band together to make sure vendors make their devices safer, and lobby the government to get more serious about taking action to make sure medical devices are cybersecure.

Medical IoT device security: Lessons for leaders