Protecting Health and Care from the Security Challenge of Connected Devices
Our world is more connected than at any point in human history. And that’s largely down to the role of technology. But like many aspects of innovation, it can bring new risks as well as rewards. These are particularly pronounced in the UK’s health and care sector. Whilst there are fantastic opportunities to improve patient care and clinician productivity, and drive cost efficiencies, there are also major cyber security challenges.
Tackling these will require a multi-layered approach informed by industry-wide frameworks, and best practices, and enlisting the help of third-party expertise where appropriate as an extension of the in-house IT team.
Connectivity everywhere
According to forecasts from leading analyst house Gartner, the world will be filled with as many as 25 billion connected “things” by the end of 2021. A big part of this surge is down to the Internet of Things (IoT): programmable gadgets, machines, sensors and other bits of hardware that collect data and transmit it to cloud servers for analysis and processing. In the health and care sector, an exciting new era of smart devices has begun to offer everything from automated insulin delivery (AID) and connected inhalers to smart pacemakers.
The potential benefits for providers are alluring. The data these devices generate could help specially trained AI algorithms spot serious health issues before they appear. The automation of day-to-day processes could also reduce human error in treatment, and free-up clinician’s time.
Aside from modern IoT devices, there may also be more legacy operational technology (OT) equipment used for diagnostics and monitoring: everything from MRI machines to electrocardiographs and ultrasound devices. As is often the way, new and old sit alongside each other on hospital networks. But where there is connectivity, there is risk—because it puts such devices within the reach of remote attackers.
OT is challenging
According to one 2019 study, 82% of health and care organisations have experienced a cyber attack against one of their IoT devices. But where are the risks and how might they affect your organisation? They include:
Patching challenges: Either vendors are slow to fix known issues—leaving a large window of opportunity for attacks—or hospitals find it difficult to apply the patches, as it would require taking critical systems offline to test. Sometimes it’s a combination of both.
Legacy systems: An extra vector for attacks could be the operating system on which an OT or IoT device is sitting. If it’s a relatively old device, it may only be compatible with a legacy Windows OS for which there are no longer any patches being produced.
Passwords: Some connected devices are simply not designed with security in mind. A typical issue is that they’re shipped with factory default and/or easy-to-guess passwords. These can be simply cracked by remote attackers.
Protocols: Many OT devices were built in an age when financially motivated cyber crime was not really the global concern it is today. That means they have little built-in protection and often use insecure communications protocols riddled with weaknesses.
These can all present challenges to health and care leaders and their IT teams. Although we’ve not yet seen a coordinated attack on connected devices in the sector, there’s a growing opportunity emerging. By hijacking devices through exploitation of any of the above vectors, cyber criminals could pivot to patient data stores, conscript the device into a botnet to attack others, or sabotage it to extort a ransom payment.
The MDR difference
There’s no silver bullet solution for such threats. Best practice security steps as advocated by Cyber Essentials Plus and the Data Security and Protection Toolkit (DSPT) will go a long way to mitigating the worst issues, including software vulnerabilities and weak passwords. Part of the challenge is that these devices are usually too underpowered to install endpoint security, or running an unsupported OS, making it more important to apply protection in the cloud and on networks, for example through device profiling and segmentation.
The National Cyber Security Centre (NCSC) has been involved in the development of a new international standard for connected devices, ETSI EN 303 645, which defines a range of new security measures. Covering 13 areas, the standard proposes (amongst others) a ban on universal default passwords and greater transparency on the minimum time for which the product will receive security updates.
The NHS secure boundary service is another important initiative to help secure the internet traffic flowing to and from connected devices. But it has been proven that even the best threat prevention technology is not enough to stop determined threat actors. This is where a managed detection and response (MDR) service can be a great addition for NHS IT organisations.
It amounts to a 24/7 security operations centre (SOC), offering threat detection and response for remote worker environments, on-premises desktops & servers, enterprise networks, public cloud, SaaS and IoT devices across both IT and OT environments. Because it’s a completely managed service, you save on the up-front costs of building and staffing the team and deploying the technology —whilst taking advantage of the economies of scale a specialist provider offers, and the enhanced visibility they have into multiple customer environments.
With Socura you get:
- Reduced attacker dwell time from days to minutes. We detect the threat and can automatically contain it before it can seriously impact the organisation
- Security telemetry data remains hot and instantly searchable for a year, for maximum visibility
- A partner that works seamlessly as an extension of your in-house IT team