Healthcare cyber security: IoT device security, FAQs and how to ensure patient safety

In the healthcare industry, the integration of Internet of Things (IoT) devices has ushered in numerous benefits, ranging from streamlined patient care to improved operational efficiency. However, with these advancements comes a pressing concern: the security of IoT devices and its direct impact on patient safety, as well as a whole host of other cyber security risks and threats.

In fact, healthcare data breaches have consistently trended upward from 2012–2021, with the number of data breaches doubling in between 2019 and 2022. IBM released their Cost of a Data Breach report and for the 13th year in a row, the health sector had the highest costs for a data breach. The average breach in healthcare increased by nearly $1M and is now $10.1M. Costs have also increased over 40% in the last two years. In total, according to the United States (US) federal records, healthcare breaches have exposed 385 million patient records from 2010 to 2022.

As a security decision maker, understanding the risks and implementing robust security measures is critical. In this comprehensive blog post, we will delve into the challenges posed by IoT device vulnerabilities, real-world examples of cyber-attacks in healthcare, and strategies to ensure patient safety through effective cyber security awareness.

IoT devices in healthcare: a double-edged sword

According to Cynerio and Ponemon Institute's “The Insecurity of Connected Devices in Healthcare 2022” survey, 56% of respondents have encountered at least one cyberattack involving connected devices over the last two years.

While IoT devices offer unprecedented opportunities for remote monitoring, data collection, and diagnostics, they also introduce vulnerabilities that can be exploited by cyber criminals. With the integration of various connected devices, including wearables like patient tracking wristbands and critical medical equipment like pacemakers and ventilators, ensuring the security of these devices becomes crucial.

Here are a few key challenges:

• Proliferation of devices: With the growth of IoT in healthcare, the sheer volume of devices increases the size of the attack surface. From wearable health trackers to outdated hardware to brand new medical equipment, the proliferation of IoT devices represents a potential entry point for attackers. Furthermore, as a lot of healthcare activity moves to remote and roaming situations, the increased use of IoT devices on public or unprotected networks also increases the attack surface.
• Lack of security standards: Many IoT devices lack standardised security protocols, making them susceptible to exploitation. Default or weak passwords, lack of encryption, and unpatched vulnerabilities are also common issues, especially in the healthcare sector as it is severely lacking in awareness programmes and cyber security training.
• Budget constraints: Limited budget allocations for cyber security in healthcare organisations can hinder the adoption of advanced cyber security solutions. Resource constraints may result in suboptimal protection against evolving cyber threats. Healthcare organisations, in many nations, are already seeing their overall budgets being cut, so the slice of the pie for cyber security should get smaller as a result, right? Unfortunately, this will leave healthcare organisations even more vulnerable, leading to even more damaging and costly cyber breaches.
• Legacy systems and compatibility: In healthcare, older systems often coexist with modern technologies as system updates lag behind the massive progress we have seen on the side of threat actors. In fact, a study conducted in 2020 found that 83% of hospital infrastructure is running on outdated software, largely attributable to now unsupported Windows 7 operating systems. In many cases the software in question is no longer being supported by its original developer. Legacy systems, which include devices like scanners, fax machines and x-ray devices, might not be equipped to handle modern cyber threats, leaving vulnerabilities that attackers can exploit. Through these legacy systems, threat actors can hack their way into the wider network and wreak havoc on the data and information stored there.

Real-world examples of healthcare cyber attacks

• WannaCry ransomware attack (2017): This global attack impacted numerous healthcare organisations, disrupting operations, compromising patient data, and affecting critical medical services. The attack exploited a vulnerability in Microsoft's Windows operating system, utilising an exploit known as "EternalBlue," which was developed by the United States National Security Agency (NSA) but was leaked online by hacking group Shadow Brokers. The attack targeted computers worldwide, affecting organisations across various sectors. The healthcare sector was particularly hard-hit by the WannaCry attack due to the critical nature of its services and its reliance on technology. The attack disrupted operations as the ransomware infected computers, rendering them inaccessible. This led to cancelled appointments, postponed surgeries, and delays in patient care. Some medical devices, including diagnostic equipment and computerised systems used for patient care, were rendered inoperable due to the attack. The attack also compromised patient data, including medical records and sensitive information raising concerns about patient confidentiality and data privacy. To compound issues even further, healthcare organisations faced financial losses due to the need for an emergency response, system recovery, and legal and regulatory penalties for data breaches.
• NotPetya attack (2017): The NotPetya ransomware attack initially targeted Ukraine but quickly escalated to a global scale, affecting organisations in over 65 countries. NotPetya infected computers around the world, including hospitals, other medical facilities, and a large U.S. pharmaceutical manufacturer with the total damage believed to be $1 billion. NotPetya was designed to appear as a variant of the Petya ransomware, but its primary goal was destruction rather than financial gain. The attack exploited the same "EternalBlue" vulnerability in Microsoft's Windows operating system that was used in the WannaCry attack just a month earlier. However, NotPetya utilised additional mechanisms to disseminate itself and spread within networks to other devices. This attack targeted a major hospital, leading to the cancellation of surgeries, diversion of patients, and significant financial losses.
• Ryuk ransomware attack (2019): Ryuk is a type of ransomware that is often delivered through phishing emails or by exploiting vulnerabilities in an organisation's systems. SOCRadar's monitoring revealed nearly 1200 phishing attempts targeting healthcare entities from April 2022 to March 2023, highlighting the substantial risk of phishing in the healthcare sector. Interestingly, there appears to be a surge in phishing attempts during the summer months, linked to the vacation period in the education system. Once activated, Ryuk encrypts files on the infected system and demands a ransom payment in cryptocurrency for the decryption key. Healthcare providers experienced data breaches and system outages due to this attack, causing delays in patient care and compromising sensitive medical information. Ransomware attacks are among the most common cyberattacks in the healthcare industry, with 190 successful ransomware attacks reported in the US between April 2022 and March 2023 (SOCRadar).

• Emotet malware attack (2022): Emotet is a malware variant that has historically been a prolific threat to the health sector and is often used as part of a cyberattack to deliver ransomware. Whilst Emotet was initially taken down in January 2021 and wiped in April 2021, it returned and spiked in late Spring 2022 and is currently being used to drop Quantum and BlackCat ransomware into healthcare organisations and their networks.
• Venezuelan insider ransomware (2022): The US Department of Justice revealed that Venezuelan doctor, Moises Luis Zagala Gonzalez, was operating ransomware in his free time. As a full-time medical doctor who treated patients regularly, Gonzalez ran both Jigsaw and Thanos ransomware variants and is accused training threat actors on the dark web. Healthcare data appearing on the dark web is nothing new with SOCRadar reporting a 35% rise in dark web posts regarding healthcare in the past year, with over 450 documented posts.
• MediBank ransomware attack (2022): This cyber-attack, on one of Australia's largest private health insurance companies, by a ransomware group with ties to the now defunct REvil gang, compromised approximately 9.7 million customer details, including sensitive information such as names, addresses, birthdates, and Medicare numbers. This information was stolen to extort a ransom payment from Medibank in exchange for not publicly releasing the data.
• IRCCS MultiMedica cyber-attack (2023): The IRCCS MultiMedica, recognised by the Ministry of Health, houses a hospital, a multi-specialist hospital, and an outpatient care centre. The group had an annual turnover of 229 million euros in 2021 which is why the LockBit ransomware group targeted it for financial gains. The ransomware group left with patient data, credentials, financials, and confidential documents.
• Cuba ransomware (2023): Cuba ransomware operators have compromised over 100 targets and have received over $60 million in ransoms, following a total of $145M in demands. Cuba ransomware have been targeting five critical U.S. infrastructures: financial services, government, manufacturing, information technology, and, of course, healthcare.

Strategies to ensure patient safety through IoT device security

1. Comprehensive risk assessment: Conduct a thorough risk assessment to identify vulnerabilities associated with IoT devices and your general security structure. A comprehensive risk assessment allows you to evaluate potential attack vectors, unsafe behaviours, impact on patient care, and the regulatory implications of breaches. TSC’s dynamic Security Awareness and Behaviour Research (SABR) tool can assess the levels of awareness and knowledge of your workforce across five dimensions, analyse the behaviours of employees in these five dimensions, and provide an in-depth analytical report of your organisation’s security maturity. Organisations have been working with us for over 20 years deploying the SABR tool to determine their baseline results and establish and implement a plan to further develop their security maturity. By pinpointing undesirable behaviours and targeting issues at their root, TSC’s SABR assessment can inform a more effective and efficient security culture.

2. Implement Robust Authentication: Require strong, unique passwords and Multi-Factor Authentication (MFA) for IoT devices. Make sure your employees are not using the same password across numerous accounts and that they are regularly update passwords. You must ensure your employees understand the power of the password; use the real-world cyber breach examples we have listed above to provide context and hammer home the real-life ramifications of lax password behaviours. 

3. Regular patching and updates: Keep devices and software updated with the latest security patches to address known vulnerabilities. Develop a schedule for regular updates and ensure compatibility with legacy systems. Not only do you need to implement a patch/update calendar, but you also need to train employees to be proactive in updating their hardware and software; you want them to take ownership of their security and, as a result, the organisation’s security.

4. Network segmentation: Isolate devices from critical patient data networks to minimise the potential impact of a breach and segment your network to confine cyber breaches to its initial entry point. Network segmentation limits attackers' lateral movement and reduces the risk of data exposure. Furthermore, because a cyber-attack on a healthcare organisation can cripple entire systems, network segmentation can ensure that total shutdowns do not occur, meaning less surgeries are postponed, and less patient data is compromised.

5. Training and awareness: You must educate healthcare staff about, password security, remote working, the risks of IoT devices, phishing, ransomware and other common cyber risks and threats. You must train them to recognise signs of potential compromise and encourage a culture of reporting any unusual activities before they develop into something really damaging. TSC offers a whole host of eLearning courses, games, and physical materials on the aforementioned cyber threats, as well as so much more. Furthermore, as creators of bespoke training and awareness materials, we can create specific materials for your organisation, for specific departments and even for specific threats.

6. Regular backups and the 3-2-1 rule: Robust data backup systems are crucial to restore operations in the event of a cyber-attack. Healthcare organisations are encouraged to establish and maintain secure data backup practices. Consider the 3-2-1 backup rule as a solution to data protection. The 3-2-1 rule is a widely recognised and recommended approach for creating comprehensive data backups that ensure data availability, security, and recovery in case of data loss or disasters. The rule advises organisations to maintain 3 copies of your data, to store those copies on 2 different types of media, and to keep 1 copy off-site, ideally in a different geographical location. The 3-2-1 backup rule provides a strong balance between data availability, redundancy, and protection against various types of risks. Following this rule helps ensure that you have multiple layers of protection for your data and can recover it in case of unexpected events.

Behavioural insights can transform your security culture

Faced with this reality and this snapshot of current threats, it is increasingly important to engage your workforce in their role within a strong line of defence against cyber-attacks.

Training and awareness are fundamental in enabling people to provide that line of defence. However, training alone will not provide the behaviour change that is required from every employee.

Understanding the factors that can influence behaviours are the key to behaviour change. The COM-B model of behaviour change, used by The Security Company, proposes that to engage in a behaviour (B - Behaviour) at any given moment, a person must be physically and psychologically able (C - Competence or Capability) and have the opportunity (O - Opportunity) to exhibit the behaviour, as well as the want or need to demonstrate the behaviour at that moment (M - Motivation).

Our behaviour change research shows that an individual’s behaviour will change if all the elements above – capacity, opportunity, and motivation – are successfully implemented. We combine these three sources of behaviour with our behaviour change wheel to provide a systemic overview for your organisation of your current security culture. Let us chat to discuss how leveraging behavioural theories can significantly enhance your efforts to bolster IoT device security.

Frequently Asked Questions

Why is cyber security awareness and training important in the healthcare industry?

Cyber security awareness and training is crucial in healthcare to mitigate the risks of cyber threats, protect patient data, and ensure the continuity of patient care. It helps employees recognise and respond to potential threats, reducing the likelihood of successful cyber-attacks.

What are some effective methods for training healthcare staff on cyber security awareness?

Effective methods include interactive team activities, workshops, simulated phishing exercises, gamification, engaging eLearning courses and bespoke role-based training. These methods will help you engage employees across generations, departments, and learning styles whilst providing hands-on experience in recognising and responding to threats.

How often should cyber security training be conducted in healthcare organisations?

Regular training is essential. Basic training on cyber threats like phishing and password security should be conducted bi-annually but refreshed regularly throughout the year with awareness materials like physical posters, email signatures, GIFs, and games. However, if you conduct a security assessment, you will gain more insight into how often and what security training you need to implement. One solution does not apply to all organisations, whilst a personal and bespoke solution will be far more effective.

Can cyber-attacks on IoT devices directly impact patient care?

Yes, cyber-attacks on IoT devices can have immediate consequences on patient care. For example, attacks on medical devices can lead to service disruptions, delays in treatment, and compromised patient data. This can have massive medical, financial, and regulatory ramifications.

What regulations address IoT device security in US healthcare?

The FDA (Food and Drug Administration) recommends manufacturers use the NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cyber security, which builds on earlier guidance for Industrial Control Systems. The Healthcare Cyber security Act of 2022 requires the Cyber security and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) to collaborate around improving cyber security in the healthcare and public health sectors, with CISA charged with the specifics. Part of this act includes a detailed study on cyber security risks for the health sector, and how to manage these risks with a shortage of qualified cyber security workers. CISA would be responsible to make resources, including cyber-threat indicators and appropriate defence measures, available to federal and non-federal entities that receive information through HHS programs. Furthermore, the US has also introduced the Protecting and Transforming Cyber Health Care Act, the PATCH Act. This law is specifically focused on new requirements for medical device and network security, setting cyber security requirements for medical device manufacturers by requiring premarket approval through the Food and Drug Administration, requiring development of plans to identify and address post-market cyber security vulnerabilities, and also allowing manufacturers to design, develop and maintain processes and procedures to update and patch devices and related systems throughout lifecycles.

What regulations address IoT device security in EU and UK healthcare?

In the EU, the Medical Device Regulation (MDR) emphasises cyber security as a component of medical device safety. In the UK, the NHS has released device security guidance and, on June 2022, they released a report on the future regulation of medical devices in the United Kingdom in a post-EU Britain.

Conclusion

In the healthcare sector, the potential benefits of IoT devices are vast, but so are the risks they introduce, and this is not even considering numerous other threats such as ransomware, phishing, and poor password security. In the past year, we even saw an alarming 63.5% of phishing domains masquerading as websites of healthcare organisations, down utilising the HTTPS protocol to deceive victims by exploiting the trust of the little padlock icon typically associated with secure connections.

By understanding the challenges, leveraging behavioural insights, and implementing comprehensive strategies, you can establish a resilient defence against cyber threats. Many security leaders in the healthcare space are waking up the music, which may explain why the global healthcare cyber security market size is estimated to rise from US$ 17.35 billion in 2022 to around US$ 81.63 billion by 2032, according to Precedence Research.

You simply cannot afford to be left behind!

Remember, a well-informed and security-conscious healthcare environment is the cornerstone of patient well-being in the digital age.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your healthcare organisation or if you would like a demo of our SABR tool to identify gaps in your security armour ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.