The Telehealth Attack Surface

Amid the surge in digital healthcare stemming from the coronavirus pandemic, security is taking a backseat to usability.

Justine Bone, CEO, MedSec

June 10, 2020

6 Min Read

Telehealth and telemedicine face numerous cyber threats. Currently, healthcare providers, medical device makers, and telehealth platform providers rely on a myriad of regulations and sources of guidance, including HIPAA, the Department of Health and Human Services, and Food and Drug Administration regulations and general cybersecurity best practices to manage these services. However, these regulations do not anticipate the full range of threats that can occur inside the insecure network environment of a patient's home. Additionally, many of these platforms have been deployed quickly during the pandemic and allowed to bypass existing regulations, which further exacerbates the risk environment for these services.

A new federal effort is underway to address this deficiency. The National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) recently began working with leading industry vendors and subject matter experts to undertake a comprehensive analysis of telemedicine services to map out the attack surface, identify the key potential points of failure, and devise new telemedicine cybersecurity standards for the industry to follow. This process is still in the early stages, but once completed it will be an effective road map for healthcare providers and technology developers as telemedicine use expands.

In the meantime, let's examine the key area of risks related to these digital services.

Human Endpoints: Patients and Doctors
Digital healthcare services have a broad attack surface, ranging from the online platforms to the healthcare providers, third-party tools, and services such as cloud storage and VPNs, remotely accessible medical devices, and the patients' own home networks. However, the most likely point of a security breakdown is at the two human endpoints: patients and doctors. In the latter case, many doctors may not be receiving sufficient security training for the telehealth platforms they are expected to use. Basic security measures such as two-factor authentication and session timeouts can be an obstacle or inconvenience, which could lead some medical practitioners to ask the IT department to disable them. Additionally, given the rapid rollout of telehealth during this pandemic, there is a significant possibility that some doctors will use their own personal laptops or cellphones to carry out virtual consults.

On the patient side, the situation is more complex. Many of the current cybersecurity standards upon which healthcare providers rely are best suited for a protected network environment, such as a hospital or medical office. Patient homes are just the opposite. Healthcare providers are sharing sensitive data through an insecure network with multiple users, and with other endpoints that are very susceptible to compromise by malware, including general Internet of Things devices and connected appliances. Unlike remote employees, healthcare providers cannot require patients to take security precautions such as tunneling traffic through a VPN or adding a device firewall. Therefore, telehealth and telemedicine services face a considerable challenge in trying to keep data secure as it travels through this high-risk environment.

Portable Medical Devices
Remote medical devices also pose unique challenges. In addition to operating within an unprotected patient home network, the devices themselves are more vulnerable to attack because they are resource limited and patients have unmonitored, unrestricted physical access to them. Unlike large devices such as MRI machines, the small portable medical devices that end up inside patient homes — such as an insulin pumps or heart monitoring systems — have limited processing power, data storage, and battery life. As a result, cybersecurity solutions that we would otherwise turn to, such as strong authentication and encryption, may not be suitable options for those devices. They may also lack the form factor needed for other basic security steps — such as password protection — as they often lack a display screen and keypad.

Privacy Risk vs. Disruptive Attacks
Cyberattacks on the healthcare industry have been a problem for years but the COVID-19 outbreak has exacerbated many of these risks, particularly when it comes to ransomware. However, despite the fact that these disruptive attacks are increasing, the healthcare industry has remained largely focused on the issue of patient privacy in order to prevent information theft or accidental exposures. The same is also true with telehealth and telemedicine. In the emerging field of digital healthcare, providers are mostly concerned with privacy risks while not fully accounting for other types of attacks such as device ransomware and the deliberate disruption or sabotage of services. Internet-connected medical devices provide a unique attack vector, one that could be exploited to cause significant harm to patients.

Although targeted attacks on patients are certainly possible, they are unlikely. What is more realistic is that criminals will target the back-end infrastructure and third-party technology ecosystems that support telehealth and telemedicine services in order to gain scale and access to large datasets of highly monetizable information. These targets could include telehealth web application servers, third-party support services, back-end servers for remote medical devices, and hospital networks. The increasing number of attacks on consumer-grade Wi-Fi routers could also be used to compromise health services, whether intentionally or unintentionally, by criminal actors.

Next Steps
In the haste to roll out telehealth services, some traditional security processes have been skipped or streamlined in order to reduce the time to market. This has raised the level of risk for these services. It is important for service providers to address these issues by going back and applying security hardening and turning on key security features. Cybersecurity protections like end-to-end encryption, strong access authentication, multifactor authentication, and active monitoring are all essential must-haves. However, these are not always realistic in certain areas of telemedicine, particularly when it comes to the use of smaller Internet-connected medical devices for remote patient monitoring. For these devices, other security measures need to be investigated, including firmware-based defenses and hardware-level safety controls, which can prevent the devices from being forced by an attacker to act in an unsafe manner.

The NCCoE program is a critical first step in defining the full scope of risks and threats related to telehealth services. It will also play an important role in improving patient health and security.

Related Content:





Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Justine Bone

CEO, MedSec

Justine Bone is CEO of MedSec, a cybersecurity company which is exclusively focused on the healthcare industry, including hospitals and medical device manufacturers. MedSec is serving as a subject matter expert for the NCCoE/NIST Securing Telehealth Remote Patient Monitoring Ecosystem program. Justine is the former CISO of Dow Jones, global head of risk management at Bloomberg LP and CEO of Immunity Inc. (acquired by Cyxtera). She also served as a vulnerability researcher and exploit developer at IBM X-Force. She is a member of HP's Security Advisory Board and a member of Black Hat USA's guest review board.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights