Dammit, Man! I’m a Doctor, Not an IT Admin!
To be fair, healthcare workers are focused on patient health and not on IT. Internet-connected healthcare equipment allows hospitals to be more efficient and allows healthcare workers to spend more time with patients.
Simple IoT device sensors keep track of patient heart rates. Semi-smart IoT devices can detect anomalies in vital signs remotely and alert healthcare practitioners of an impending crisis. And intelligent IoT systems can use back-end systems to quickly stitch patient health snapshots together and help keep tidy medical and efficient billing records.
As a result the global IoT healthcare market is expected to grow at a significant rate over the next five years. Remote monitoring of patients will increase from 14.3 million worldwide in 2014 to 78.5 million by 2020, according to market research firm Tractica. Diagnostic and wearable IoT test equipment will help move the needle on total global laboratory test throughput by more than 3.02 billion diagnostic tests over the next 5 years, according ABI Research.
No one is arguing IoT is a bad thing. The problem is figuring out who is in charge of IoT, said Pedro Abreu, chief of strategy at the security firm ForeScout. “Ask the IT department who is in charge when it comes to network security and they will look at you like you’re crazy for asking. Ask who is in charge of IoT security and you’ll get a blank look in their face,” Abreu said.
As Cyber Risk Management’s Chon explained, “As a lot of hospital equipment is being connected to the network for convenience of data transfers, centralized management and cost reductions, but there is not enough recognition that companies are creating additional exposure for patient data.”
The logical fix for infected IoT gear is to scrub the equipment of the malware and add security software. But that’s rarely an option. In many cases, when hospitals become aware of malware infection on MRI machines, ultrasound equipment and drug pumps their hands are tied by Federal Drug Administration rules that prevent changes in equipment software.
“The FDA has strict rules and regulations about medical devices and what updates, firmware or patches can be applied to those systems,” Chon said. “When an MRI machine gets approved by the FDA it’s considered a diagnostic equipment or a treatment. FDA rules state any changes made to that system have to go back through the FDA certification process,” he said.
In its report MedJack, TrapX describes a hospital that had an infected MRI machine that couldn’t be taken offline to be disinfected because it was needed for patients with urgent care needs. The hospital’s remedy was to replace the MRI machine weeks later with a new one that lacked the same basic security defenses as the prior MRI machine.
Source: TrapX Research Labs, MEDJACK.2 Hospitals Under Siege
The Cure
There are varying ways to treat the problem of vulnerable IoT medical devices, say security experts. The problem is the vast majority of IoT run on a mismatch of operating systems. Some of the simplest IoT devices (or machine-to-machine) devices lacking adequate processing power and storage to host endpoint security software.
IBM advocates a Big Data approach where networks and IoT devices running on those networks are profiled and analyzed to create baseline security expectations.
IT admins need to monitor the network leading to and coming from IoT devices and capture events from it, said Chris Poulin, research strategist, IBM X-Force Security. “We need to know the devices performance characteristics. Does it use HTTP or MQTP? What other type of protocols does it use? What networks and gateways does the device use? What is the device’s power profile?”
Any abnormality in a network’s or IoT device’s profile should sound the alarm of a possible security breach, he said.
Another approach to IoT security is being floated by industry heavyweights such as Cisco Systems that want to embed security on every IoT device at the microprocessor level. Called Manufacturer Usage Description Framework (MUD), this initiative attempts create a resource on every internet-connected thing that links to the manufacturer’s description of the device’s operating parameters.
“The convenient thing is that many Things probably only have a small set of uses. A printer prints and maybe scans, thermostat like a Nest controls the temperature in your house, and a baby monitor monitors babies,” writes Eliot Lear, senior internet engineer and policy expert at Cisco, in a blog outlining MUD.
“The people who know about those small number of ways (Things work) are most likely the manufacturers of the devices themselves. If this is the case, then what we need is a way for manufacturers to tell firewalls and other systems what those ways are, and what ways are particularly unsafe for a device. This isn’t much different from a usage label that you get with medicine,” Lear wrote.
Lear, who submitted MUD to the Internet Engineering Task Force as a proposed device framework, compares MUD to giving devices Universal Resource Identifiers (URI).
“In this scenario the MRI machine, the X-ray equipment and dialysis pump all have their own swim lanes. The MUD (URI) profile limits the function and reach of a device preventing a hacker’s ability to control and manipulate the hardware,” said Marc Blackmer, product marketing manager, Industry Solutions at Cisco.
Blackmer acknowledged the MUD solution, if ratified by the IETF, is not an overnight solution. “The security world has to catch up to the incredible scale of IoT,” he said. In the interim, he advocates, basic security blocking and tackling. Too often IoT gear is erroneously put on a network with default settings and all features turned on.
“Just because an ultrasound machine has a NIC card, MAC address, and an IP address doesn’t mean it needs to be connected to the entire hospital network,” Blackmer said.
