Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

IoT Medical Devices a Major Security Worry in Healthcare, Survey Shows

Healthcare providers, manufacturers, and regulators say cybersecurity risks of IoT medical devices and connected legacy systems a top concern.

Nearly one-third of IoT medical device manfacturers, healthcare organizations, regulators, and users cite identifying and addressing cybersecurity issues as their top concern when dealing with both network-connected medical devices and older legacy equipment, according to a Deloitte survey released today.

The survey, which queried more than 370 professionals tied to the IoT medical device industry, also found that 35.6% of these organizations experienced a cybersecurity incident in the past year. The number of attacks via IoT medical devices was not measured in the report.

The online poll was taken in May, less than two weeks after WannaCry swept through 150 countries and hit UK healthcare providers particularly hard.

"That type of attack [WannaCry] was just the tip of the iceberg. There will be other attacks that address these IoT devices," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. He notes that all it will take is one major event where a patient is put at risk or dies to change the way IoT medical device-makers and the healthcare industry prioritize IoT cybersecurity spending versus taking a backseat to capital spending and operating budget costs.

Part of the challenge is identifying which medical devices are attached to networks. "You can't secure and protect what you don't know," he says. "It's an asset management issue."

Driving this lack of visibility is a combination of tracking hordes of fielded devices that are currently in the market and in use, as well as legacy medical devices running outdated software that makes it difficult to inventory them in a systematic way, Jones adds.

Patrick Phelan, chief information security officer at the University of California San Francisco, agrees that tracking IoT devices in the medical field can be a huge challenge.

"The sheer number of connected devices - tens of thousands - makes asset-tracking challenging, complicated by the fact that many IoT devices move around the hospital, jumping from port to port or access point to access point," says Phelan.

UCSF Medical Center, for example, has nearly 1,000 licensed beds and last year handled 43,000 hospital admissions and 1.2 million outpatient visits. Phelan adds that UCSF has put a great deal of effort into building its inventory and classifying devices according to the risks they face, as well as potentially present.

"Using network segmentation to isolate and protect IoT devices is one of the most important things you can do," says Phelan. "At UCSF, our clinical technologies and IT departments are working closely on the problem."

He notes that medical devices present several security challenges to the industry. "Manufacturers can be slow to provide patches … Security basics are frequently overlooked: it's not uncommon to find medical devices using obsolete operating systems like Windows XP, insecure protocols, and simple passwords.," he says. "Also, IoT medical devices have a longer lifecycle than most technology. A device designed [more than] 10 years ago probably didn't anticipate the threat landscape of 2017."

Tackling security for legacy IoT devices may be done through monitoring any abnormal behavior around the device, as well as developing an effective incident response plan, Deloitte's Jones says.

"I have seen incident response plans developed but they didn't do any war gaming or pressure testing to test the plan. That testing should be part of the plan," Jones says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

And while manufacturers may bear the brunt of responsibility for making legacy IoT devices secure, the newer IoT devices coming into the market have far more security capability built in, and the onus for maintaining that security has shifted to the healthcare providers, Jones observes.

"Asset management. That is the single thing most thing that they should do for cyber risk management," he says. "You want to narrow down the problem to where is the single biggest risk that will affect the largest number of people."

Playing Nice Together

In order to bring substantial change to cybersecurity of IoT devices in the medical industry, Jones notes it will require collaboration among manufacturers, healthcare providers, and regulators.

IoT medical device manufacturers need to build cybersecurity into devices as they are being developed, and continue to support the devices during their lifecycle with updates and patches, Jones says. The healthcare industry, meanwhile, needs to provide input into product development discussions with manufacturers and regulators can assist with drafting guidelines for solutions, he notes.

In December, the US Food and Drug Administration (FDA) issued its final guidance on how cybersecurity for medical devices should be handled once the devices leave the manufacturing plant. That document builds on the pre-market cybersecurity guidance the FDA finalized in 2014.

"The FDA has expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the healthcare community together to propose and implement shared solutions to addressing cybersecurity concerns," says Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

She says the center identified medical device cybersecurity as a fiscal year 2017 regulatory science research priority, and that the FDA is focused on promoting the adoption of the guidelines throughout the medial device ecosystem.

"We also expect to see more and more manufacturers come to us this year with pre-submission meeting requests to include discussions about building cybersecurity controls into their devices. We welcome the interactions we'll be having this year to help the entire community move to a better place," she says.

Schwartz adds that addressing cybersecurity and public health takes input and effort from many stakeholders, and that proactive multi-stakeholder engagement is the cornerstone of the FDA's approach to addressing cybersecurity in medical devices.

The FDA's efforts, however, have received some mixed reactions. 

"The FDA has published solid pre- and postmarket cybersecurity guidance for manufacturers, but there are no hard compliance requirements," Phelan says. "The Diabetes Technology Society released a security standard (DTSec) for connected diabetes devices in 2016, and I'm hoping we'll see more independent device certifications like this in the future.

"The good news is that medical device security is getting a lot of exposure these days," he says.

Related Content:


Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.