Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

IoT Medical Devices a Major Security Worry in Healthcare, Survey Shows

Healthcare providers, manufacturers, and regulators say cybersecurity risks of IoT medical devices and connected legacy systems a top concern.

Nearly one-third of IoT medical device manfacturers, healthcare organizations, regulators, and users cite identifying and addressing cybersecurity issues as their top concern when dealing with both network-connected medical devices and older legacy equipment, according to a Deloitte survey released today.

The survey, which queried more than 370 professionals tied to the IoT medical device industry, also found that 35.6% of these organizations experienced a cybersecurity incident in the past year. The number of attacks via IoT medical devices was not measured in the report.

The online poll was taken in May, less than two weeks after WannaCry swept through 150 countries and hit UK healthcare providers particularly hard.

"That type of attack [WannaCry] was just the tip of the iceberg. There will be other attacks that address these IoT devices," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. He notes that all it will take is one major event where a patient is put at risk or dies to change the way IoT medical device-makers and the healthcare industry prioritize IoT cybersecurity spending versus taking a backseat to capital spending and operating budget costs.

Part of the challenge is identifying which medical devices are attached to networks. "You can't secure and protect what you don't know," he says. "It's an asset management issue."

Driving this lack of visibility is a combination of tracking hordes of fielded devices that are currently in the market and in use, as well as legacy medical devices running outdated software that makes it difficult to inventory them in a systematic way, Jones adds.

Patrick Phelan, chief information security officer at the University of California San Francisco, agrees that tracking IoT devices in the medical field can be a huge challenge.

"The sheer number of connected devices - tens of thousands - makes asset-tracking challenging, complicated by the fact that many IoT devices move around the hospital, jumping from port to port or access point to access point," says Phelan.

UCSF Medical Center, for example, has nearly 1,000 licensed beds and last year handled 43,000 hospital admissions and 1.2 million outpatient visits. Phelan adds that UCSF has put a great deal of effort into building its inventory and classifying devices according to the risks they face, as well as potentially present.

"Using network segmentation to isolate and protect IoT devices is one of the most important things you can do," says Phelan. "At UCSF, our clinical technologies and IT departments are working closely on the problem."

He notes that medical devices present several security challenges to the industry. "Manufacturers can be slow to provide patches … Security basics are frequently overlooked: it's not uncommon to find medical devices using obsolete operating systems like Windows XP, insecure protocols, and simple passwords.," he says. "Also, IoT medical devices have a longer lifecycle than most technology. A device designed [more than] 10 years ago probably didn't anticipate the threat landscape of 2017."

Tackling security for legacy IoT devices may be done through monitoring any abnormal behavior around the device, as well as developing an effective incident response plan, Deloitte's Jones says.

"I have seen incident response plans developed but they didn't do any war gaming or pressure testing to test the plan. That testing should be part of the plan," Jones says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

And while manufacturers may bear the brunt of responsibility for making legacy IoT devices secure, the newer IoT devices coming into the market have far more security capability built in, and the onus for maintaining that security has shifted to the healthcare providers, Jones observes.

"Asset management. That is the single thing most thing that they should do for cyber risk management," he says. "You want to narrow down the problem to where is the single biggest risk that will affect the largest number of people."

Playing Nice Together

In order to bring substantial change to cybersecurity of IoT devices in the medical industry, Jones notes it will require collaboration among manufacturers, healthcare providers, and regulators.

IoT medical device manufacturers need to build cybersecurity into devices as they are being developed, and continue to support the devices during their lifecycle with updates and patches, Jones says. The healthcare industry, meanwhile, needs to provide input into product development discussions with manufacturers and regulators can assist with drafting guidelines for solutions, he notes.

In December, the US Food and Drug Administration (FDA) issued its final guidance on how cybersecurity for medical devices should be handled once the devices leave the manufacturing plant. That document builds on the pre-market cybersecurity guidance the FDA finalized in 2014.

"The FDA has expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the healthcare community together to propose and implement shared solutions to addressing cybersecurity concerns," says Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

She says the center identified medical device cybersecurity as a fiscal year 2017 regulatory science research priority, and that the FDA is focused on promoting the adoption of the guidelines throughout the medial device ecosystem.

"We also expect to see more and more manufacturers come to us this year with pre-submission meeting requests to include discussions about building cybersecurity controls into their devices. We welcome the interactions we'll be having this year to help the entire community move to a better place," she says.

Schwartz adds that addressing cybersecurity and public health takes input and effort from many stakeholders, and that proactive multi-stakeholder engagement is the cornerstone of the FDA's approach to addressing cybersecurity in medical devices.

The FDA's efforts, however, have received some mixed reactions. 

"The FDA has published solid pre- and postmarket cybersecurity guidance for manufacturers, but there are no hard compliance requirements," Phelan says. "The Diabetes Technology Society released a security standard (DTSec) for connected diabetes devices in 2016, and I'm hoping we'll see more independent device certifications like this in the future.

"The good news is that medical device security is getting a lot of exposure these days," he says.

Related Content:


Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.