What are the risks?
And why status quo is not an option
Last updated
Was this helpful?
And why status quo is not an option
Last updated
Was this helpful?
Artificial intelligence is a . Apple, Google and Samsung are partnering with academic researchers to leverage data from watches and smartphones, as a new way to carry out clinical studies and carry out personalized medicine. These new methods have been approved by the FDA in 2018.
Likewise in France, a national computing infrastructure, , is being built.
But more data means more cyber risks too. It's not just about data security, but can have a life or death impact. A system that can't be patched may be an actual threat that can cause harm to patient
We define an IoT system as a set of technologies that provide a service:
Devices with sensors and actuators. They collect, process and exchange data. Devices are usually deployed remotely, in the field.
Communication networks. They provide a communication channel between devices and with processing systems. An IoT system can rely on multiple communication networks, wireless or wired, high or low speed.
Processing facilities. They provide the “smartness” of the system. These processing facilities can sit in devices, in mobile application, or remotely (e.g. cloud computing). An IoT system can have one or several processing facilities.
The IoT has a few unique caveats that need to be considered, typically:
Battery powered: the devices are often small and serve a particular function, unlike server resources which have massive calculation-driven platforms and consistent, sanitized power flow.
Asynchronous: They are partially or completely offline, connecting only asynchronously via hub devices or when required for functionality.
Lean: Lastly, IoT devices usually have limited calculation capabilities, and depend on central devices and servers for this processing functionality.
Despite all of these caveats, IoT devices, are extremely attractive targets to attackers due to their known single use functions and relatively lax security.
See the "use cases" section. It's important to realize that healthcare organisations want to be able to deal with the cybersecurity issues holistically. Medical devices as well as downstream data processing should all be made for the benefit of the patient and healthcare professionals.
The extraordinary issues that the healthcare sector is currently facing come on top of long-standing challenges that have hindered the cybersecurity maturity growth in healthcare in the past:
Low maturity on cybersecurity in the healthcare sector is evident: many hospitals still do not have a CISO, and lack comprehensive security policies and access control mechanisms
Hospitals are easy targets for malicious attackers due to the many different ways a malicious attacker can gain access to a system
Lack of security awareness – for example, physicians, administrative personnel and patients can use their personal devices to connect to the hospital network without following any specific strategy
The lifespan of medical devices in use, such as CAT scanners or MRI machines, can be longer than the manufacturer has anticipated, which commonly means security updates must be performed by a third party
With the following definitions:
A device not patched might mean an actual threat that can cause harm to patient
Reducing those vulnerabilities should be prioritized according to their potential impact (threat modeling helps). There exist many cyber risk management methodologies (such as ISO 27005, EBIOS RM, FAIR, etc.), but due to the nature of healthcare activities, it seems that DoCRA is well adapted as it integrates the notion of "duty of care" (mostly from a legal point of view, but this could be consolidated with the ethical mindset of hippocratic oath).
Most of the attacks on medical organisations today are classic ransomware. So hackers are not yet exploiting the many vulnerabilities in appliances that have been deployed on the field without cyber security in mind. What's different compared to other economic sector is that it's not just data security, but can have life and death impacts.
Within the healthcare sector, hospitals are more centralized and better prepared than smaller organizations (note: we found similar results in our interviews).
Here's a real life example of how cyber attacks can disorganize healthcare services:
"Cyberattack - information system out of order. Very long delays for patients that are not coming for vital emergency" (translation)
Some IoT devices provide better usability through , enabling a web of things through semantic interoperability. Each individual device may be small, but together enable a federated network of edge processing, enabled by standardization work such as or . A practical example of application of those APIs is provided by the automation capabilities of .
The vulnerable nature of medical devices (and ). For example, manufacturers build them in order to support remote patching and updating of firmware, which creates identifiable loopholes
A taxonomy of attacks on cyber-physical systems is summarized on the :
ICS-CERT cybersecurity disclosures reveals device vendors reported since the FDA released their Cybersecurity Guidance. This may be a sign of improving compliance among vendors and demonstrates that regulation works. It also the idea that product certification wouldn't allow security updates.
In Germany, BSI has published the results of the which similarly analyzes the vulnerabilities found in devices deployed on the European market.
The for healthcare provides useful analysis, but mostly for the US. 'The prototypical healthcare organization has fewer hosts scattered across fewer service providers and global locations than other sectors, and a lower proportion of those assets exhibit high-value functions. That trend reverses for the findings dimension, where Healthcare’s rate of severe security findings ranks among the highest of all sectors."
In the UK, a study called "" found that hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach.
How much does it cost to an organisation, today? Cyber insurers have the most accurate evaluations. We use the .
