Increased Connectedness Increases Risk: Internet of Medical Things, Cybersecurity
Today’s blog is provided by Rebecca Rye
Health care is an industry defined by innovation and evolution, and increasingly the direction of that innovation is toward connected, technology-enabled care. The COVID-19 pandemic has only increased the pace of that innovation—hospital at home, telehealth and virtual care have all seen increased use due in part to Medicare flexibilities discussed in a prior blog post. While this increase in technology utilization can have significant upsides for patient care delivery, cost savings, and increasing efficiency to relieve burdens placed on an already stretched workforce, it is important for leaders in health care to understand the risks associated with the addition of new connected devices within their systems.
Internet of Medical Things (IoMT)
The Internet of Medical Things is a term used describe the relationship between all the devices, software systems, and health systems used to provide care to patients. The term itself is nebulous by design—connected devices within the IoMT can take many forms, from glucose monitors, to pacemakers, to robotic surgical machines, and everything in between. The IoMT extends outside the walls of the care facility as well – from devices used by a care team for remote therapeutic monitoring after a patient is discharged from a care facility to watches that can provide heart rate information and even interface with a patient’s electronic health record to provide that information to a physician.
IoMT and Cybersecurity
While the IoMT undoubtedly provides advancements that improve patient care and experience, it also introduces thousands of potential points of vulnerability when it comes to cyberattack. In September, the Cyber Crime division of the FBI provided a Private Industry Notification to the health care industry, detailing the potentially hidden risks to a more connected health care system. Specific areas of concern cited by the FBI are:
- Outdated software providing opportunities for cyber criminals
- Devices installed and running on their default settings offering easy access for exploitation
- Devices that use customized software requiring special upgrading procedures to install updated patches often experience delays in maintenance
- Devices that simply are not designed with security measures in place, either due to age or an assumption that they would not be the target of a cyber attack
According to the FBI’s report, a study conducted in January of 2022 concluded that 53% of connected medical devices and IoMT technologies had “known critical vulnerabilities” and around one-third of connected devices had vulnerabilities that were known to impact operative effectiveness or accuracy. By exploiting these vulnerabilities, malicious actors could take many actions—including providing intentionally inaccurate readings, delivering incorrect medication doses, or by locking down operation of the devices completely. Any one of these actions could have a catastrophic effect on patient care delivery.
A Broader Look At Cybercrime
It’s important to remember that connected medical devices are but one element of a much broader connected ecosystem. For example, if we look at the FBI’s Internet Crime Complaint Center (IC3) 2021 report, which annually tracks cybercrime complaints, the number of reported incidents and financial losses have steadily increased in the last five years – going from roughly 301,500 complaints totaling $1.4 billion to over 800,500 complaints totaling $6.9 billion. Ransomware was one of the top five crime types. The most common ways cyber criminals infect victims with ransomware is through phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities.
Health care is considered one of 16 critical infrastructure sectors. In 2021 IC3 began tracking ransomware attacks by those sectors and received 649 complaints that year. Health care had the most with 149 complaints. The next closest was the financial services industry with 89 and information technology with 74.
And just this week (October 21), the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (DHS) released a joint Cybersecurity Advisory regarding the Daixin Team, a ransomware and data extortion organization that has targeted organizations within the health care sector since at least June 2022. In the past four months, the Daixin Team have used ransomware to encrypt servers required for several key healthcare services, including electronic health records and diagnostic and imaging services.
Most commonly, the Daixin Team exploits vulnerabilities in virtual private network (VPN) servers or utilize phishing to gain access to a target’s servers. Once they have obtained access, Daixin actors are able to move throughout other networked servers to deploy ransomware or remove data including personally identifiable information and personal health information from victim’s systems and hold it hostage under the threat of release if terms are not met.
Next Steps
Bottomline, with health care devices, information and systems more connected than ever, it also opens up more and more vectors for attack. Health care providers must remain vigilant. As your organization continues to address cybersecurity, including connected devices, keep these tips in mind:
- Develop a plan not only to mitigate risks, but also respond and continue patient care in the event of an attack. Immediate, fundamental actions suggested by IC3 to protect against ransomware include: updating operating system and software; implementing user training and phishing exercises to raise awareness about the risks of suspicious links and attachments; securing and monitoring Remote Desktop Protocol (RDP) if in use; and making an offline backup of data.
- Monitor and take action on recalls or notices from device vendors and manufacturers related to cybersecurity
- Update your systems promptly when new software is available
- Take an inventory of connected devices to understand the scope of potential vulnerabilities
- Consider cybersecurity when making purchasing decisions–devices at the end of their useful lives can be particularly susceptible to threats
- Reach out to CLA for assistance. We can help you with it all.
How CLA Can Help
For the broader issue of cybersecurity as well as the IoMT, CLA’s team of cybersecurity and IT security professionals can help you take inventory of your systems, identify vulnerabilities, and develop and test a plan to respond to threats.
Jennifer Boese is the Director of Health Care Policy at CLA. She is a highly successful public policy, legislative, advocacy and political affairs leader, including working in both the state and federal government as well as the private sector. She brings over 20 years of government relations and public policy knowledge with her to CLA. Well over half of her career has been spent dedicated to health care policy and the health care industry, affording her a deep understanding of the health care market and environment, health care organizations and health care stakeholders. Her role at CLA is to provide thought leadership, policy analysis and strategic insights to health care providers across the continuum related to the industry's ongoing transformation towards value. A key focus of that work is on market innovations and emerging payment models. Her goal is to help CLA clients navigate and thrive in an increasingly dynamic health care environment.
Comments are closed.