IoT in Healthcare: The Expanding Threat Landscape and Strategies to Mitigate It

In the first half of 2023, distributed denial of service (DDoS) attacks on the Internet of Things (IoT) surged by 300%, causing global financial losses of 2.5 billion. IoT malware attacks also increased by 400%.¹ The healthcare industry is increasingly adopting automation and digitization, which the IoT makes possible. However, IoT also increases the sector’s susceptibility to malware, DDoS attacks, and other cybersecurity risks.

Innovative IoT systems continue to revolutionize the healthcare industry in numerous ways. However, the very qualities and capabilities that make these devices so useful – interconnectivity, real-time data-sharing, scalable architecture, and automation – also make them vulnerable to cyberattacks.

A single such attack can have a devastating impact on a healthcare organization and its patients. This article explores the many ways these organizations can protect their IoT ecosystems and data.

The Proliferation and Benefits of Healthcare IoT

In 2023, the global number of connected IoT devices was around 16.7 billion. By 2027, this number is expected to cross 29 billion.² While many of these devices are for consumer use, an increasing number are also used in business settings.

In healthcare, for example, cutting-edge IoT solutions are used to remotely monitor patients and identify their health issues, manage medical inventory, track medical equipment, monitor medication compliance, and even assist in surgeries. These innovative tools empower healthcare professionals to deliver more timely and personalized care and generate better patient outcomes. They also help organizations to improve operational efficiency and cut costs.

Notwithstanding these benefits, the expansion of healthcare IoT ecosystems also has a downside: the expansion of the attack surface due to IoT devices increases the risk of potential cyberattacks and data breaches.

IoT in Healthcare: Cybersecurity Risks

In December 2023, the U.S. Government Accountability Office (GAO) published a report, stating that medical devices connected to hospital networks may be vulnerable to cyber threats and that the incidents arising from these threats “could delay critical patient care, reveal sensitive patient data, shut down healthcare provider operations, and necessitate costly recovery efforts”.³ Earlier in April 2023, the HIPAA Journal published a list of the riskiest connected medical devices that open the door to attacks on healthcare organizations. This list includes nurse call systems, infusion pumps, medication dispensing systems, and IP cameras.⁴

Malware is one of the biggest risks to connected healthcare devices. Modern threat actors attack healthcare IoT devices with many types of malware, including data-stealing spyware, self-replicating worms, bots, and ransomware.

In addition to malware, they can also compromise healthcare IoT ecosystems by:

• Exploiting vulnerabilities to hijack and compromise IoT devices
• Using compromised devices to initiate DDoS attacks on other targets
• Sending phishing emails to trick staff into unknowingly parting with sensitive data or compromising the integrity of one or more connected systems
• Inserting trojans that change the organization’s WiFi DNS settings and then redirect unwitting users to malicious websites
• Covertly installing cryptojacking software on IoT devices to illegally mine cryptocurrencies

But why is healthcare IoT so vulnerable to attack?

Causes of Cybersecurity Risks to Healthcare IoT

IoT has expanded the attack surface of healthcare organizations for many reasons. One is that many healthcare organizations utilize legacy systems, have poor or outdated security controls in place, updates, and patch management have not been implemented, and security strategies such as regular or ongoing security monitoring measures are not consistently used to help prevent or mitigate security risks. Let’s explore some of these weaknesses more in-depth.

The devices lack security controls

Many healthcare IoT systems lack the controls needed to protect them from cyberattacks. It is hoped that the US Cyber Trust Mark, a cybersecurity labeling program for IoT devices proposed by the Federal Communications Commission (FCC), could help mitigate this challenge by helping healthcare organizations choose more secure smart devices.⁵ In addition, healthcare organizations can take steps to improve their cyber-resilience by adopting the steps detailed in the Department of Health and Human Services’ (HHS) recently released working paper Healthcare Sector Cybersecurity.⁶

Outdated software

A large number of IoT devices used in healthcare are still based on outdated, vulnerable software. About 1 in 5 connected devices also run on unsupported (and again, vulnerable) operating systems.⁷ These assets often cannot be updated or patched, putting the organization at very high risk of attack.

Out of reach of traditional security tools

Traditional security tools like antivirus or antimalware software cannot effectively protect the expanded attack surface presented by IoT networks – more so because many IoT devices lack the processing power and memory needed to install and run these solutions. For effective IoT protection, these solutions must be lightweight, resource-efficient, and capable of seamlessly adapting to the device diversity and scalability associated with large-scale IoT deployments.

Interconnectivity and interoperability of systems

The healthcare sector has one of the largest and most complex supply chains of all industries, involving millions of care providers, suppliers, manufacturers, and other entities whose IoT technologies and assets are closely interconnected with each other. These interconnectivities enable threat actors to leverage a compromised device as a starting point to move laterally within the network. By doing so, they can compromise even more devices and potentially exfiltrate large amounts of sensitive or confidential data.

Vast quantities of data

Per one estimate, the healthcare industry generates about 30% of the world’s data.⁸ This “Big Data” – a lot of it generated by IoT devices – is invaluable to deliver high-quality, personalized patient care. However, it is also a very attractive target for breaches.

A breach of healthcare data may compromise patient privacy, expose them to identity theft, fraud, and other crimes, or result in inadvertent misdiagnoses or the delivery of inappropriate treatments. It can also cost the affected organization – and cost them big. Since 2020, the cost of a data breach in healthcare has increased by 53.3%. In fact, the industry’s average breach cost of $10.93 million is the highest among all other industries.⁹

Strategies to Secure Healthcare IoT Devices

As cyber threats targeting healthcare IoT escalate, it’s vital for organizations to adopt these proactive strategies to secure their smart devices:

Create an inventory of IoT devices

Healthcare organizations that don’t keep an inventory of their IoT devices lack visibility into and oversight over their IoT ecosystem. Without visibility, they struggle to understand their “real” risk and implement controls to manage the risk.

An effective inventory identifies all the IoT devices in the ecosystem – both authorized and unauthorized. It also includes the organization’s operational technology (OT) devices. This is important because the increasing interconnections between OT and IT expand healthcare organizations’ attack surface and increase their risk of attack.

Encrypt sensitive data

Encrypting IoT traffic can improve data privacy and integrity. To protect sensitive information, it’s crucial to encrypt both data-in-transit and data-at-rest.

Regular updates and patches

It’s important to regularly update and patch all IoT systems, software, firmware, and operating systems to remove their exploitable vulnerabilities and safeguard them from attackers.

Change the default password

Changing the weak default password to a stronger password can reduce the possibility of hacks. Multi-factor authentication (MFA) can further help minimize the impact of security events, even if passwords are stolen or compromised.

The U.S. HHS Health Sector Cybersecurity Coordination Center (HC3) recommends some more IoT security strategies for healthcare organizations:

Implement Zero Trust principles and security model

Zero trust assumes that no user or device can be implicitly trusted. By adopting zero trust principles, organizations can limit the number of people allowed to access certain IoT resources, minimizing the potential for attack.

Implement network segmentation

Network segmentation is about dividing a network into smaller parts or “subnets”, with each subnet acting as an independent network. A segmented network allows administrators to use various means such as software-defined networking (SDN) to implement security policies on each subnet to control traffic flows and asset access, minimize risks, and protect network assets. Segmentation also makes it easier to isolate infected IoT devices from other IT equipment, thus preventing the spread of malware.

Conclusion

IoT has ushered in many positive changes in the healthcare sector. However, it also makes healthcare organizations – and by extension patients – vulnerable to a host of cyber threats.

In this challenging landscape, the best defense is a good offense. This means adopting offensive security measures like the ones highlighted above, and security testing with tools such as attack surface management (ASM) and penetration testing as a service (PtaaS). Together, these proactive measures can empower healthcare organizations to defend their IoT environments and safeguard patients and their data.

Discover how BreachLock ASM and PtaaS strengthen your cyber resiliency in an IoT environment. Schedule a free discovery call.

About BreachLock:

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References

1. DDoS attacks on IoT devices skyrocket in 2023
2. Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report
3. Medical Device Cybersecurity
4. Riskiest Connected Medical Devices Revealed
5. Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers
6. Healthcare Sector Cybersecurity
7. 1 in 5 Connected Medical Devices Run On Unsupported Operating Systems
8. Taking the pulse of data and technology in modern healthcare
9. Cost of a Data Breach Report 2023