Davey Winder: securing the Internet of Medical Things
- 31 May 2016
The healthcare sector turns conventional security thinking on its head; instead of seeing security as vital to service delivery, patient care is understandably the top priority.
That's not to say that cyber security isn't factored in; but if it becomes a limiting factor in delivering that care in a timely fashion then it's in danger of being factored straight back out again.
It's a conflict that healthcare management has managed to juggle pretty well, truth be told, but that could all be about to change. And the catalyst is the Internet of Medical Things.
The borderless network paradigm shift
It's relatively easy to secure things from the perimeter. It is far less easy to secure 'things' that extend beyond fixed network architectures.
Start throwing myriad connected devices into the healthcare equation and pretty quickly you end up with a new borderless network perimeter paradigm that cannot be adequately defended without a paradigm shift.
This borderless network, often spread across multiple locations – and which could even include a patient’s home – comprises everything from wearable devices such as personal glucose monitors and fitness trackers, through to IV pumps.
Also, heart monitors in the hospital or clinic itself, right up to network connected medical imaging devices. When you incorporate the broader mobile health environment of tablet and smartphone based applications into your threatscape view, the sheer scale of the problem starts to become apparent.
Trouble is… that scale is nothing compared to what it will become. One report from Cisco, which recently spent more than a billion dollars acquiring an Internet of Things software management company, suggests that the UK IoT market will be worth £48.5 billion across the next decade.
Cisco says that healthcare will drive that market, with chronic disease management and lifestyle-related disease prevention tools leading the charge.
It's the software, stupid
All of these devices will be networked in order to deliver on the patient care promise, and that's where the software involvement comes in – along with the risk.
This software is where vulnerabilities are most likely to exist – and will be exploited if discovered. Whether the software is a Commercial off the Shelf product or hung off of a legacy operating system such as Windows XP is irrelevant.
What matters is that these devices probably haven't been designed with security in mind from the bottom up.
As such they become insecure endpoints – very insecure endpoints in fact. Most IoMT devices will have a primary function of feeding data back into a centralised system, often via 'the cloud', and both of these are favoured targets of the bad guys.
It’s not that cybercriminals will be after the results of that glucose monitoring or blood pressure reading exercise; but they will see IoMT devices as a weak link, providing an easy ride into the healthcare information systems where profitable data resides.
From hyperbole to hospital floor
That's bad enough, but what if the oft-overhyped nightmare scenario of holding patient health to ransom via hacked IoMT devices becomes a reality?
Researchers have already demonstrated how easy it can be to gain access to, and ultimately control certain connected insulin pumps, for example.
Billy Rios is the researcher responsible for discovering the insulin pump hack, and he also remotely installed a game of Donkey Kong on a machine that controls the delivery of radiation to a patient.
Rios has gone on record to say that he's not walked away from any medical device he's investigated without discovering at least one serious issue.
One device, Rios says, "literally had over 4,000 vulnerabilities." If these are – and they are – software hacks, then what's the problem you may wonder – it's just a matter of patching the software to fix it, right?
Well, right – apart from the fact that many IoT devices are only patchable by the manufacturer. If at all.
Device manufacturers are taking notice, and thanks to high-profile media reporting of the kind of problems illustrated by Rios and others they are removing the vulnerabilities in newer models.
But that doesn't mean that new vulnerabilities won't be found, or that older models already in situ are safe or will be replaced; which leaves the onus on the healthcare provider to make sure the devices it employs are secured.
A complex conversation is long overdue
Unfortunately, while healthcare networks can be given a measure of protection at the edge and around connected devices, dealing with the inherent vulnerabilities is not so easy.
The problem is far from simple. Indeed, I appreciate that the conversation regarding securing the IoMT is a complex one – but it's a conversation that needs to be had urgently.
Until medical devices have security baked into software from the design process up, and some kind of accepted standardisation for secure data exchange between them and health information systems exists, the Internet of Medical Things is in danger of becoming the Android marketplace of healthcare hardware.
That means: dangerously fragmented and, in the absence of any legislative incentive, dangerously apathetic to the risk it represents.
Davey Winder
|