Cybersecurity Challenges using IoT / IoMT Health

The healthcare industry has seen rapid changes in the past few years, especially with the advent of IoT devices that have been evolving at a faster pace. We have seen considerable development, even having a long way to go. The pandemic fueled rapid adoption, revealing the vulnerabilities, and inefficiencies in this sector. 

While major IoT healthcare initiatives currently revolve around telemedicine and remote monitoring, the upcoming phase had a broader scope like tracking, monitoring and maintaining medical equipment and healthcare assets etc. Applications like personal healthcare, biosensors, smart beds, smart pills, the health insurance industry, robotics, and other specializations have just expanded the scope of IoT, and we haven’t talked about the pharma industry yet.

Benefits of IoT Healthcare

The ongoing pandemic clearly paved the way for faster adoption of the IoT devices and tele healthcare services. The key advantages of having IoT in healthcare are : 

• Medical Mobility :  When more patients need urgent assistance, it becomes necessary for the medical staff to track and maintain records of even hundreds of patients, serving in real time. IoT helps in tracking and getting alert when any critical change in a patient's parameter occurs, aiding in locating and providing direct assistance asap.
• Patient Data Processing :  Medical professionals tend to spend hours processing different kinds of medical information, Coupled with ML, IoT can excessively reduce these efforts to a few minutes, additionally offering possible treatment options.
• Enhanced preventive medicine, by better understanding conditions (courtesy of IoT data) and providing timely diagnosis without awaiting for obvious symptoms.
• Mass reduction in risk of error and miscalculation due to  human factors.
• Medical Apps  for monitoring critical health issues, aid healthcare professionals in finding out whether the  patient has taken the prescribed medication else, the therapists can call and remind a patient. The whole process can be automated.
• Under secure practices,the personal data can be directly transferred to the doctor, maintaining  confidentiality,  as the information is moved from one device to another.

The IoT devices collect and transfer health data like the blood pressure, oxygen and blood sugar levels, weight, and ECG readings etc. With the increase in consumer engagements and consciousness regarding their health and better quality of life, there is a surging demand for remote healthcare services aiming to provide a better quality of life. While industries are approaching to provide a more integrated and IoT enabled healthcare solution, these industries have their own set of challenges, a larger amount of which is considering the security threat and privacy challenges.

IoT / IoMT Threats and security challenges

With the increasing market share of the IoT devices in the healthcare field, it has offered a simple door for cyber criminals trying to misuse and profit from device vulnerabilities. Ransomware tops the list of cyberthreats for healthcare organizations.

IoT Device security challenge 

The IoT concerns a wide range of modules like the data acquisition,communication, sensors etc. Owing to the lack of consideration of cybersecurity threats, they have an inherent technical debt which results in compromised medical devices with unpredictable behavior.

Network Segmentation
Most of the healthcare organizations  lack network segmentation  and  access control  of IoT, owing to this any new device introduced will have global organization access, especially to lateral moving sensitive patient information in the network channels. Lack of NATing, allows a IoT device with default configurations to be discover able on the internet.

Use of Legacy systems
Legacy systems cannot be patched or updated as this interferes with the provision of patient care that's essential 24/7. As these systems are devoid of any new security updates, they greatly facilitate the work of attackers in formulating IoT security breaches,

Mediajacking

Security threats that are owing to the implementation of malicious media to gain access to the medical device fall under the category of media jacking. Once the software is accessed, the attacker can vary the injection quantity to potentially cause lethal damage to the patient, additionally stealing confidential information.

User Impersonation

IoT devices capture data in real time and are a treasure trove of patient data for cybercriminals. Most of the devices lack a data protocol or standard, also the use of open source softwares. The data can be misused to create fake ID using the sensitive information like medical history and social security number, to buy drugs or equipments to sell later or file a fraudulent insurance claim

For any IoT device or environment implementation, apart from  side-channel attacks, following are the key vulnerable areas in IoT device :

1. Traffic Interception
   Use of legacy systems and network segmentation increase the chances of data drain of confidential data from a secure network while transmitting information to a healthcare’s IoT system.
2. Debug Port
   Physical devices essentially come with a debug port used for development or debugging purposes. But they can also provide access to attackers to read, high jack or modify the firmware.
3. Authentication and Authorization
   Secure authentication and authorization mechanisms are necessary to ensure the protection of data against any hacking attempts.Most of the IoT devices come with a device with a default password, which are necessary to be updated to avoid ease of access to malicious hackers.

Considering security as an ‘add-on’ feature in device acquisition
Most of the activities in the device acquisition and implementation phase consider security just an add-on feature, leading to an increase in the risk of human error and poor system configuration. Even the unregulated practice of BYOD, especially by physicians belonging to independent medical groups.

Security concerns while developing IoT apps
While lightweight, developer friendly APIs are the need of the hour, the advent of IoT devices has brought a whole new challenge for IoT security developers. The following are few risks associated with the IoT app development, seen over recent years. 

Source : Statista.com

IoT Regulation in India :
Today, a key challenge faced across multiple sectors looking to adopt IoT is its security concern. Even though the healthcare system today is steadily moving towards digital adoption, there is no policy, standard or governance framework with respect to management of IoT devices. With fast adoption of smart medical devices and digital pharmacies there is still no call for standardization from regulatory bodies such as NABH. 

There is still absence of a baseline criteria, labelling scheme available to test the security of these IoT-enabled medical devices imported, we still lack the digital risk element defined by the sectoral regulators making the situation tough as there is no audit framework to rely on.

IoT Compliance Frameworks :
Healthcare services that deal with ePHI are required to be  HIPAA  and  HITECH  compliant, though the current HiPAA regulations discuss the aspects of confidentiality, accessibility and integrity of e-PHI but they don't specifically address IoT devices, leaving unanswered questions like the need of an additional legislation concerning who will be responsible for the protection of ePHI and IoT.

Additional IoT regulations and vulnerability frameworks are put included or forth by  ENSI, ETSI, EU Cybersecurity Certification Framework, GDPR,  IOTSF, CCPA, NIST, OWASP IoT Top 10  etc. 

Recommendations: 

• Maintain an accurate inventory of devices.
  You can't secure what you can't see, hence, it's necessary for healthcare IT heads to develop an exhaustive map of all assets, especially considering that many devices are brought in without risk assessment like Alexa.
• Secure infrastructure, strong password : Implement and follow best security practices.
  Experts must follow best security  general security best practices for healthcare IoT devices and perform through risk assessment before device deployment, also continual network monitoring.
• Effective Authentication & Encryption.
  Implementing two factor authentication, deploying PKI and digital certificates are few methods to authenticate connections within the network and EHR, ensuring no data is manipulated avoiding any possibilities of MITM attacks.
• Accurate Network Segmentation and Security Implementation.
  Lack of network segmentation and access control has been a key reason for most of the previous healthcare cyberattack coz of IoT devices. The network administrator need to implement strict network policies to control lateral channel access. If any device is directly used for patient care, the admin can disable its capability to connect to the internet, allowing only under special circumstances by means of an allow list.

Conclusion 

As much is needed to have a standard guide for the IoMt development, the usage guideline is under similar scrutiny. Both need to be revised timely as per the evolving work environment. Today, its necessary to adapt effective security controls formed under unique constraints of IoMT development and assess the risk in their usage. The adoption would require a holistic approach towards vulnerability mitigation and assessment.

The upcoming network composition would mean that every device will represent a potential risk and can be a doorway to other network devices on the same network. User education on the best security practices as well as continual awareness of the IoT challenges and the use and conformance to the security standards by the multiple key segments like device manufacturers, communication and application developers and integration specialists.