The United States Health Sector Cybersecurity Coordination Center recently published a startling report about cybersecurity in healthcare. It indicates the healthcare industry suffers increased vulnerabilities due to the growing use of Internet of Things (IoT) devices and related apps.
The August 2021 report is an update to the “Health Sector Cybersecurity: 2021 Retrospective and 2022 Look Ahead” issued in March 2022. In the update, the Cybersecurity Coordination Center placed a strong emphasis on private and public healthcare businesses improving their defenses and assessing the risk of using convenient and commonplace IoT technologies. In an effort to warn industry leaders and professionals across the healthcare IT landscape, the advisory highlights specific strategies that garden variety hackers and advanced persistent threats are using to infiltrate networks and steal valuable digital assets.
In our September article, “Cyberattacks in Healthcare: New Report Highlights Security Concerns of IoT Technology”, you learned about the troubling history of cyberattacks. The overview noted, “The healthcare industry ranks among the Top 5 most attacked business sectors year-over-year. That’s largely because hackers have successfully stolen Protected Health Care Information (PHI) assets and garnered the highest profits.”
Having laid a foundation regarding the crisis of cybersecurity in healthcare, we now turn our attention to key IoT takeaways from the August, 2022, report and delve into 6 ways you can better protect your business and patients’ Personally Identifiable Information (PII).
What is IoT and Its Place in Cybersecurity for Healthcare Organizations?
The IoT is a catch-all term used to describe a vast network of physical technologies that are found in sensors and software. Their loosely connected purpose is to improve the flow of information across interconnected networks, devices, and businesses. Despite the global semiconductor chip shortages we hear about in the mainstream media, an industry report points to substantial IoT growth.
“Both the 2021 actuals and the current 2025 forecast for IoT devices are lower than previously estimated. (The previous estimate for 2021 was 12.3 billion connected IoT devices; the previous forecast for 2025 was 27.1 billion connected IoT devices),” according to IoT Analytics. The State of IoT 2022 report predicts that “In 2022, the market for the Internet of Things is expected to grow 18% to 14.4 billion active connections. It is expected that by 2025, as supply constraints ease and growth further accelerates, there will be approximately 27 billion connected IoT devices.” Although IoT production may be hamstrung by the supply chain and post-pandemic disruptions, the number of sometimes unaccounted-for devices synced to healthcare IT networks is headed for staggering growth. And once the production and flow of semiconductors ramp up, those numbers could surge even higher. The rise in IoT devices has not gone unnoticed by cybercriminals. These technologies are likely to suffer vulnerabilities that allow sophisticated hackers to breach healthcare IT systems that otherwise possess robust defenses.
It’s important to understand the IoT does not only pose a vulnerability to cybersecurity for healthcare outfits. These devices are present in everything from your friendly Amazon Echo to “smart” appliances and washing machines. The ubiquitous nature of IoT technologies places every sector at risk. But your healthcare organization is a primary target due to the treasure trove of digital assets your networks house and transmit. These include healthcare policy numbers, PHI, credit cards, bank accounts, and highly confidential PII that could be exploited. All of your information collected by IoT makes it even more valuable to hackers. According to a Deloitte report, “Today, entire business models are launched on the idea of tight collaboration between organizations – and data is often the glue holding them together, propelling companies to invest significantly in customer analytics capabilities to discover new value streams for their customer.” The report explains, “These collaborations are taking advantage of an exceptionally broad portfolio of data types — not just device and system data, but everything from employee rosters and inventory records to non-traditional data types such as facial recognition data, facilities access data, industrial control system data, to name just a few. For many, this is uncharted territory, and along the way, data governance has failed to keep pace.”
3 Key Takeaways on IoT Devices from the Health Sector Cybersecurity Report
As our September overview points out, cyberattacks on healthcare organizations date back to 1989 when the “AIDS Trojan” ransomware attack was launched on 20,000 floppy discs. Given hackers were manipulating the technology of the day during the 1980s, it should come as no surprise the rise of IoT has cybercriminals’ fingerprints all over it. The recent cybersecurity update points to the following three areas as particularly alarming.
Be Ready for the Next Cyberattack
Download our free guide on staying protected from ransomware.
1. Cybercriminals Leverage IoT Devices for Large-Scale “Denial of Service” Attacks
All Denial-of-Service (DoS) Attack, or “Distributed Denial of Service (DDoS)” Attack in some cases, is similar to a ransomware scenario because you and your staff would be prevented from accessing the healthcare operation’s data, network resources, and devices in many cases. A threat actor effectively blocks legitimate network users from email, internet platforms, bank accounts, and digital assets connected to the system.
This nefarious scheme is accomplished by flooding your healthcare IT network with traffic that overwhelms it. Your system may crash, and hackers understand DoS Attacks cost healthcare companies valuable time and a lot of money.
Cybercriminals have taken note that healthcare organizations are utilizing IoT devices that are not necessarily secure. When staff members link things like fitness trackers to a device that can access your network, that may open a door for hackers to deposit malware and orchestrate a DoS Attack. As a July article in Threat Post called “IoT Botnets Fuel DDoS Attacks – Are You Prepared” points out: “The increased proliferation of IoT devices has become an attractive target for attackers.”
2. IoT Devices Used for Man-in-the-Middle Attacks
A Man-in-the-Middle (MitM) Attack involves an online criminal intercepting electronic communications between two or more parties. This is often done by stealing a legitimate network user’s login credentials. Once a hacker can log in as if they were a legitimate healthcare professional, they can covertly monitor emails, text messages, and PHI documents in the system.
The endgame may revolve around spying to gain valuable knowledge, such as trade secrets or how to access financial accounts. In some cases, the hacker may seek revenge and sabotage the healthcare company’s vital records. For example, the Boston Children’s Hospital was the victim of a 2014 cyberattack from a man who sought retribution.
3. Users Often Fail to Change IoT Devices Factory and Default Settings
Device manufacturers are not necessarily in the cybersecurity business, and they usually pass along instructions about changing passwords and usernames. Keep in mind that many IoT devices are akin to the Smart Phones, iPads, laptops, and other technologies targeted by hackers. Unfortunately, everyday users view fun and convenient devices as harmless.
According to a piece on Techvice, “The ease of IoT platforms use leads users to perceive these devices as ordinary household appliances and don’t delve into the instructions or think about changing the default settings.”
Cybersecurity thought leaders routinely point out that IoT devices are plagued by weak, hardcoded passwords that even a low-level hacker could guess. And the devices are too often rife with inherent vulnerabilities. Adding insult to injury, healthcare organizations generally gloss over the fact that IoT devices are at least loosely connected to their network. That’s because the consensus is they are just gadgets.
Cybersecurity Coordination Center Recommends Preventive Actions
If you take nothing else from this article, please take these words from the Cybersecurity Coordination Center seriously, “Any device connected to the internet has the potential to be hacked and the Internet of Things is no exception. A compromise of these devices could lead to devastating damage, including tampering with traffic lights, shutting down home security systems, and damage to human life. Since these devices can collect data, including personally identifiable information it is important to secure these systems.” Ultimately, the goal is to protect the entire system, but there are steps that can be taken to help accomplish this.
Here are 6 ways to protect your business and patients when it comes to your focus on cybersecurity in healthcare:
1. Reconsider the Structure of Your Network
The so-called “flat” network is designed to minimize cost by reducing the number of routers and switches. This remains a common budgetary approach around healthcare IT used by small businesses as well as remote workforces. However, flat networks are considered more vulnerable to cyberattacks. Add IoT devices such as smart home technology to remote healthcare staff members, and hackers could be champing at the bit. If you have IoT devices connected to your network, it’s important to conduct regularly scheduled server health checks.
Consider working with a cybersecurity firm that possesses expertise in nuanced networks. This strategy provides segmentation that reduces a hacker’s attack surface. If an IoT device becomes compromised, that may not provide a pathway to all the PHI and PII you have stored.
2. Change Your Passwords Regularly
The call to change passwords on a regularly scheduled basis continues to prove one of the best defenses against getting hacked. Think of this action as one of the easiest proactive IT steps you can take to protect your business. Persistent cybercriminals with above-average hacking skills may target your employees with email phishing schemes to get information. It’s not uncommon to troll professional networking platforms such as LinkedIn or social media profiles for password clues. Using strong passwords and changing them frequently is a tried-and-true defense.
3. Modify IoT Factory Settings
Chances are that a hacker will take a run at your devices after learning keys to the factory settings and redundant passwords. By promptly changing the default settings and with your own, hackers do not gain a critical advantage. Take a minute or two right now to think about the IoT devices at home or in the office that haven’t been updated and make a plan to take care of this in the next 24 hours. It’s never too late to improve your cybersecurity posture and planning regularly scheduled updates provides even more protection.
4. Avoid Universal “Plug and Play”
Universal Plug and Play is the process of allowing certain devices to locate and communicate with each other. This protocol appears to remove otherwise tedious setup tasks. But the same IoT Plug and Play devices that are open to you may also be accessible by hackers.
5. Implement Zero-Trust Network Protocols
It’s important for healthcare employers to understand that zero-trust access to your network has nothing to do with valuing staff members. Although the cybersecurity policy sounds like shifty people are on the payroll, it is designed to minimize a data breach.
Zero-trust involves limiting each user’s access to only data and parts of the network they require to complete tasks. Should their login credential become compromised, the hacker is also limited. Cybercriminals are relentlessly targeting healthcare IT and a zero-trust program can greatly minimize the damage caused by an IoT-related breach.
6. Be Situationally Aware
Although you cannot predict when a cyberattack will be leveled against your organization, healthcare industry leaders can conduct some due diligence. Consider the value a hacker might place on certain digital assets. Ask yourself if they could be sold on the Dark Web, used as leverage, or compromise your patients. In other words, take a moment and think like a cybercriminal. It may be prudent to store high-value assets in a more secure area out of harm’s way. One way to plan for this is to work with a Managed Services Provider (MSP) that will work with you to create an action plan.
The key to protecting your data is to stay a step ahead of cybercriminals. By understanding how seemingly harmless IoT devices can be used as hacking tools, you are seeing a greater portion of the cybersecurity landscape. By taking proactive measures to close this door into your network, you will have hardened your defenses and protected information and people from cybercriminals.
If you’re concerned about how IoT devices may impact your IT environment and sensitive data, let’s get together to review your current cybersecurity strategy and create an action plan for your specific needs.
Be Ready for the Next Cyberattack
Download our free guide on staying protected from ransomware.