Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Healthcare Industry Lacks Awareness of IoT Threat, Survey Says

Three-quarters of IT decision makers report they are "confident" or "very confident" that portable and connected medical devices are secure on their networks.

Healthcare networks are teeming with IoT devices from glucometers to infusion pumps, but a study found that the majority of IT decision makers may be operating with a false sense of security regarding their ability to protect these devices from cyber attacks.

According to a survey of more than 200 healthcare IT decision makers, more than 90% of healthcare IT networks have IoT devices connected to the systems, according to a report released Wednesday by ZingBox.

"Typically you will see 10 to 15 IoT devices per bed in a hospital," says Xu Zou, CEO of ZingBox, defining a healthcare IoT device as anything that is portable and connected to the Internet.

But despite the large presence of these devices, the healthcare industry is largely operating under the assumption that traditional security measures for laptops and servers are fine for securing the medical Internet of Things, the report finds.

For example, 70% of survey participants give their seal of approval for using traditional security technology for medical IoT devices, and 76% say they are "confident" or "very confident" that these portable and connected medical devices are secure on their networks.

The difference in using traditional IT security verses IoT-specific security is that attackers' aim is to gain access to the portable devices, even though the payout of information could be greater if they attacked a server storing a database, Zou says.

"A lot of IoT medical devices are not protected and secure, so they are easier to gain access and control," Zou explains. "The attackers can control them and use them as a botnet."

This type of attitude may explain the recent results in a Ponemon Institute study, which found that while 67% of medical device makers expect an attack on their devices within the next 12 months, only 17% are taking significant steps to prevent it.

Mobile Security IoT's Answer?

Although there are number of similarities between mobile devices and medical "things," the security needs between the two are different, Zou says.

One of the key differences is that security patches and updates can be pushed to a mobile device, but the same is usually not the case for IoT medical devices that cannot receive software pushed to them, says Zou.

"You can push security software onto a laptop or server, but you can't do that with an infusion pump," he notes.

Additionally, medical devices that are used for direct patient care are heavily regulated by the Food and Drug Administration (FDA). As a result, a medical device maker may be hesitant to receive third-party software pushed to the device for fear it would nullify or affect the FDA certification it receives for its device, Zou says, noting the certification process can sometimes take five years or so to achieve.

As a result of these regulatory hoops, not one medical device maker uses third-party security software for their IoT devices, he says, adding that, according to Gartner, by 2020, 25% of attacks will be directly on the device.

"CISOs need to find a way to figure out how many IoT devices they have on their network," suggests Zou. "The No. 1 challenge is gaining visibility into this. You cannot protect what you can't see." 

Related Content: 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 9:56:54 AM
Confident?
 

"Three-quarters of IT decision makers report they are "confident" or "very confident""

Confident? This shows a disconnect, once they get hit there will not be any evidence of confidence in their mind.

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/25/2017 | 3:44:49 PM
Health Care is Unhealthy IT
When I had my managed services business in 2014, several of my worst clients were health care - doctors, dentists and they had abysmal appreciation of IT in general, security in particular even though HIPPA ruled their lives.  My best advise was mostly ignored and some hated to pay me as well.  Worst clients of the lot.
matisstar
100%
0%
matisstar,
User Rank: Apprentice
7/26/2017 | 3:16:12 AM
Re: Health Care is Unhealthy IT
the health care profession is in the best position to implement a healthier work environment among its employees, because it is the health professionals who are telling the rest of us how to eat, exercise, decrease stress, and live more balanced lives.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/4/2017 | 7:55:46 AM
Re: Confident? - One word answer
Merck.

Yeah, they were probably confident in April of this year - not so much anymore.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:00:09 AM
IoT
 

"Typically you will see 10 to 15 IoT devices per bed in a hospital"

So everything connected is IoT any more, I was always considering those small devices we use. A car is also portable but I do not think anything consider it IoT.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:03:29 AM
door bell security
 

"A lot of IoT medical devices are not protected and secure, so they are easier to gain access and control,"

This makes sense, most of IoT devices is designed to get a simple task done, not giving enough attention of security of it. Like let's assume, my door bell is hacked and ringed may times at night. That is all damage it can cause.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:05:48 AM
Is it IOT?
 

"One of the key differences is that security patches and updates can be pushed to a mobile device, but the same is usually not the case for IoT medical devices that cannot receive software pushed to them"

If this is the case, should we still consider it IoT?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/25/2017 | 10:08:19 AM
AI in security
 

"The No. 1 challenge is gaining visibility into this. You cannot protect what you can't see."

I agree with this, that is why we need AI in monitoring of security vulnerabilities I would say.
PramodV715
100%
0%
PramodV715,
User Rank: Apprentice
8/1/2017 | 11:58:25 PM
You cannot protect what you can't see
Absolutely agree. Today in this world we have 30 billion web pages and more than 1 million mobile apps - Lord knows how secure these are or what kind of harm they cause discreetly.

Especially when it comes to health, it scares me! Big giants like IBM, CISCO may eventually find a way to make them secure but the question is are they reachable to the common man?
AmmarA720
50%
50%
AmmarA720,
User Rank: Apprentice
8/3/2017 | 2:18:09 PM
decision makers report they are "confident", not any more
"Three-quarters of IT decision makers report they are "confident" or "very confident"

Hearing about all the security issues we deal with it is very hard to say "very confident", all the hits only adding more limitation to the potential design of a product.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...