Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Justine Bone
Justine Bone
Connect Directly
E-Mail vvv

The Telehealth Attack Surface

Amid the surge in digital healthcare stemming from the coronavirus pandemic, security is taking a backseat to usability.

Telehealth and telemedicine face numerous cyber threats. Currently, healthcare providers, medical device makers, and telehealth platform providers rely on a myriad of regulations and sources of guidance, including HIPAA, the Department of Health and Human Services, and Food and Drug Administration regulations and general cybersecurity best practices to manage these services. However, these regulations do not anticipate the full range of threats that can occur inside the insecure network environment of a patient's home. Additionally, many of these platforms have been deployed quickly during the pandemic and allowed to bypass existing regulations, which further exacerbates the risk environment for these services.

A new federal effort is underway to address this deficiency. The National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) recently began working with leading industry vendors and subject matter experts to undertake a comprehensive analysis of telemedicine services to map out the attack surface, identify the key potential points of failure, and devise new telemedicine cybersecurity standards for the industry to follow. This process is still in the early stages, but once completed it will be an effective road map for healthcare providers and technology developers as telemedicine use expands.

In the meantime, let's examine the key area of risks related to these digital services.

Human Endpoints: Patients and Doctors
Digital healthcare services have a broad attack surface, ranging from the online platforms to the healthcare providers, third-party tools, and services such as cloud storage and VPNs, remotely accessible medical devices, and the patients' own home networks. However, the most likely point of a security breakdown is at the two human endpoints: patients and doctors. In the latter case, many doctors may not be receiving sufficient security training for the telehealth platforms they are expected to use. Basic security measures such as two-factor authentication and session timeouts can be an obstacle or inconvenience, which could lead some medical practitioners to ask the IT department to disable them. Additionally, given the rapid rollout of telehealth during this pandemic, there is a significant possibility that some doctors will use their own personal laptops or cellphones to carry out virtual consults.

On the patient side, the situation is more complex. Many of the current cybersecurity standards upon which healthcare providers rely are best suited for a protected network environment, such as a hospital or medical office. Patient homes are just the opposite. Healthcare providers are sharing sensitive data through an insecure network with multiple users, and with other endpoints that are very susceptible to compromise by malware, including general Internet of Things devices and connected appliances. Unlike remote employees, healthcare providers cannot require patients to take security precautions such as tunneling traffic through a VPN or adding a device firewall. Therefore, telehealth and telemedicine services face a considerable challenge in trying to keep data secure as it travels through this high-risk environment.

Portable Medical Devices
Remote medical devices also pose unique challenges. In addition to operating within an unprotected patient home network, the devices themselves are more vulnerable to attack because they are resource limited and patients have unmonitored, unrestricted physical access to them. Unlike large devices such as MRI machines, the small portable medical devices that end up inside patient homes — such as an insulin pumps or heart monitoring systems — have limited processing power, data storage, and battery life. As a result, cybersecurity solutions that we would otherwise turn to, such as strong authentication and encryption, may not be suitable options for those devices. They may also lack the form factor needed for other basic security steps — such as password protection — as they often lack a display screen and keypad.

Privacy Risk vs. Disruptive Attacks
Cyberattacks on the healthcare industry have been a problem for years but the COVID-19 outbreak has exacerbated many of these risks, particularly when it comes to ransomware. However, despite the fact that these disruptive attacks are increasing, the healthcare industry has remained largely focused on the issue of patient privacy in order to prevent information theft or accidental exposures. The same is also true with telehealth and telemedicine. In the emerging field of digital healthcare, providers are mostly concerned with privacy risks while not fully accounting for other types of attacks such as device ransomware and the deliberate disruption or sabotage of services. Internet-connected medical devices provide a unique attack vector, one that could be exploited to cause significant harm to patients.

Although targeted attacks on patients are certainly possible, they are unlikely. What is more realistic is that criminals will target the back-end infrastructure and third-party technology ecosystems that support telehealth and telemedicine services in order to gain scale and access to large datasets of highly monetizable information. These targets could include telehealth web application servers, third-party support services, back-end servers for remote medical devices, and hospital networks. The increasing number of attacks on consumer-grade Wi-Fi routers could also be used to compromise health services, whether intentionally or unintentionally, by criminal actors.

Next Steps
In the haste to roll out telehealth services, some traditional security processes have been skipped or streamlined in order to reduce the time to market. This has raised the level of risk for these services. It is important for service providers to address these issues by going back and applying security hardening and turning on key security features. Cybersecurity protections like end-to-end encryption, strong access authentication, multifactor authentication, and active monitoring are all essential must-haves. However, these are not always realistic in certain areas of telemedicine, particularly when it comes to the use of smaller Internet-connected medical devices for remote patient monitoring. For these devices, other security measures need to be investigated, including firmware-based defenses and hardware-level safety controls, which can prevent the devices from being forced by an attacker to act in an unsafe manner.

The NCCoE program is a critical first step in defining the full scope of risks and threats related to telehealth services. It will also play an important role in improving patient health and security.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Justine Bone is CEO of MedSec, a cybersecurity company which is exclusively focused on the healthcare industry, including hospitals and medical device manufacturers. MedSec is serving as a subject matter expert for the NCCoE/NIST Securing Telehealth Remote Patient Monitoring ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/18/2020 | 9:57:28 AM
The next frontier?
Interesting article. So much attention on telehealth these days, haven't heard much, yet, about security risks. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.