Vulnerabilities / Threats

Healthcare Industry Lacks Awareness of IoT Threat, Survey Says

Three-quarters of IT decision makers report they are "confident" or "very confident" that portable and connected medical devices are secure on their networks.

Healthcare networks are teeming with IoT devices from glucometers to infusion pumps, but a study found that the majority of IT decision makers may be operating with a false sense of security regarding their ability to protect these devices from cyber attacks.

According to a survey of more than 200 healthcare IT decision makers, more than 90% of healthcare IT networks have IoT devices connected to the systems, according to a report released Wednesday by ZingBox.

"Typically you will see 10 to 15 IoT devices per bed in a hospital," says Xu Zou, CEO of ZingBox, defining a healthcare IoT device as anything that is portable and connected to the Internet.

But despite the large presence of these devices, the healthcare industry is largely operating under the assumption that traditional security measures for laptops and servers are fine for securing the medical Internet of Things, the report finds.

For example, 70% of survey participants give their seal of approval for using traditional security technology for medical IoT devices, and 76% say they are "confident" or "very confident" that these portable and connected medical devices are secure on their networks.

The difference in using traditional IT security verses IoT-specific security is that attackers' aim is to gain access to the portable devices, even though the payout of information could be greater if they attacked a server storing a database, Zou says.

"A lot of IoT medical devices are not protected and secure, so they are easier to gain access and control," Zou explains. "The attackers can control them and use them as a botnet."

This type of attitude may explain the recent results in a Ponemon Institute study, which found that while 67% of medical device makers expect an attack on their devices within the next 12 months, only 17% are taking significant steps to prevent it.

Mobile Security IoT's Answer?

Although there are number of similarities between mobile devices and medical "things," the security needs between the two are different, Zou says.

One of the key differences is that security patches and updates can be pushed to a mobile device, but the same is usually not the case for IoT medical devices that cannot receive software pushed to them, says Zou.

"You can push security software onto a laptop or server, but you can't do that with an infusion pump," he notes.

Additionally, medical devices that are used for direct patient care are heavily regulated by the Food and Drug Administration (FDA). As a result, a medical device maker may be hesitant to receive third-party software pushed to the device for fear it would nullify or affect the FDA certification it receives for its device, Zou says, noting the certification process can sometimes take five years or so to achieve.

As a result of these regulatory hoops, not one medical device maker uses third-party security software for their IoT devices, he says, adding that, according to Gartner, by 2020, 25% of attacks will be directly on the device.

"CISOs need to find a way to figure out how many IoT devices they have on their network," suggests Zou. "The No. 1 challenge is gaining visibility into this. You cannot protect what you can't see." 

Related Content: 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 7:55:46 AM
Re: Confident? - One word answer
Merck.

Yeah, they were probably confident in April of this year - not so much anymore.  
AmmarA720
50%
50%
AmmarA720,
User Rank: Apprentice
8/3/2017 | 2:18:09 PM
decision makers report they are "confident", not any more
"Three-quarters of IT decision makers report they are "confident" or "very confident"

Hearing about all the security issues we deal with it is very hard to say "very confident", all the hits only adding more limitation to the potential design of a product.
PramodV715
100%
0%
PramodV715,
User Rank: Apprentice
8/1/2017 | 11:58:25 PM
You cannot protect what you can't see
Absolutely agree. Today in this world we have 30 billion web pages and more than 1 million mobile apps - Lord knows how secure these are or what kind of harm they cause discreetly.

Especially when it comes to health, it scares me! Big giants like IBM, CISCO may eventually find a way to make them secure but the question is are they reachable to the common man?
matisstar
100%
0%
matisstar,
User Rank: Apprentice
7/26/2017 | 3:16:12 AM
Re: Health Care is Unhealthy IT
the health care profession is in the best position to implement a healthier work environment among its employees, because it is the health professionals who are telling the rest of us how to eat, exercise, decrease stress, and live more balanced lives.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/25/2017 | 3:44:49 PM
Health Care is Unhealthy IT
When I had my managed services business in 2014, several of my worst clients were health care - doctors, dentists and they had abysmal appreciation of IT in general, security in particular even though HIPPA ruled their lives.  My best advise was mostly ignored and some hated to pay me as well.  Worst clients of the lot.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:08:19 AM
AI in security
 

"The No. 1 challenge is gaining visibility into this. You cannot protect what you can't see."

I agree with this, that is why we need AI in monitoring of security vulnerabilities I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:05:48 AM
Is it IOT?
 

"One of the key differences is that security patches and updates can be pushed to a mobile device, but the same is usually not the case for IoT medical devices that cannot receive software pushed to them"

If this is the case, should we still consider it IoT?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:03:29 AM
door bell security
 

"A lot of IoT medical devices are not protected and secure, so they are easier to gain access and control,"

This makes sense, most of IoT devices is designed to get a simple task done, not giving enough attention of security of it. Like let's assume, my door bell is hacked and ringed may times at night. That is all damage it can cause.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:00:09 AM
IoT
 

"Typically you will see 10 to 15 IoT devices per bed in a hospital"

So everything connected is IoT any more, I was always considering those small devices we use. A car is also portable but I do not think anything consider it IoT.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 9:56:54 AM
Confident?
 

"Three-quarters of IT decision makers report they are "confident" or "very confident""

Confident? This shows a disconnect, once they get hit there will not be any evidence of confidence in their mind.

 
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...