5 Ugly Reasons Behind Healthcare IoT Vulnerabilities
Why have IoMT devices become the easiest entry point for hackers to hack healthcare institutes?
According to an IBM report, a data breach incident costs a medical institute an average of $7.13 million. And ransomware costed healthcare industry approx. $21 billion in 2020! But apart from financial loss, cyberattacks on the medical industry cause unaccountable damages such as the risk of patients' lives in the event of transferring the emergency cases to other hospitals, postponing critical operations, and canceling important appointments. One of the most popular methods hackers use is exploiting internet of medical things (IoMT) devices and medical instruments to deploy the attacks.
In this article, we will examine 5 reasons that make IoT devices the weakest link in the overall cyber security landscape in the healthcare industry.
1) Age of the IoMT Devices
Large and expensive IoMT devices like MRI machines, CT scanners, X-Ray machines, etc. have a lifespan of 15 to 20 years. But cybersecurity is a rapidly evolving field and hackers are coming up with new hacking methods at a lightning speed. That means these long lasting IoMT devices can’t face the latest challenges of the contemporary time. It is obvious that manufacturers are not to be blamed here because they can’t make a machine keeping in mind the future threats for which they don’t have any clue. That’s why, at the end of their life cycle, IoMT devices are extremely vulnerable to the new generation's cyber threats.
Hackers know that. So, it is easy for them to target the old machines, inspect their outdated system, and exploit the vulnerabilities. The hardware components are not easy to upgrade without the vendor's support. If you hire any outsiders to upgrade, you might void the warranty. When it comes to software patching, there are other sorts of challenges with IoMT devices which bring us to the next point.
2) The Patching Hustles
In general, software updates are easier to install compared to upgrading the hardware components. But it's not the case with healthcare IoT devices. The upgrade takes time, making the device unavailable for some minutes to a couple of hours. For busy clinics, especially those that treat emergency patients, it is difficult to take such a pause.
Another risk is losing the data. As we know, the patching process might inadvertently delete the stored data. The IoMT devices store sensitive healthcare data and the patients’ lifelong history of the test results and diagnoses, which must be protected at any cost. That means you need to backup all that huge quantity of data before patching. It is a time-consuming thing and needs expensive servers or cloud platforms to store the backup data.
Example: According to Ordr’s studies, one out of five devices, were running on legacy operating systems Windows 7 or older. It includes Windows 95, 97, 98, XP, ME, NT, and CE. It is a well-known fact that these operating systems are suffering from severe security vulnerabilities and are at least a decade behind the latest cyber defenses. But it is often risky, expensive, and time-consuming to update operating systems, and that’s the reason 15-19% of businesses are still using them.
3) Staff’s Lack of Cyber-Awareness
Healthcare is one of the worst industries for getting a work-life balance. The work hours and shift timing change frequently, the job is stressful, and staff is often overburdened with work. In this situation, expecting them to take cyber-awareness training and be tach savvy seems an unreasonable demand. Hence, hackers find healthcare workers easy victims to target for phishing, spamming and other scams.
In fact, staff negligence and internal misconduct were the main reasons behind 56% of all the cyberattacks in the healthcare industry! One example of staff negligence can be seen in Ordr’s research in which it found that healthcare providers were surfing Facebook and YouTube on MRI and CT machines. The essential IoMT devices and non-essential devices like printers, security cameras, vending machines, and parking lot gates were using the same internet network. But 51% of IT teams never bother checking which devices are running in their network!
4) Ransomware Attack with a “Guaranteed Returns”
Ransomware attacks are hackers’ favorite game move when it comes to IoMT devices. According to Comparitech, 600 healthcare institutes were hit by 92 ransomware attacks in 2020. These attacks cost these organizations approx. $21 billion.
Once the hacker gets unauthorized access to a medical device, they can
• Disrupt its functioning,
• Shut them down temporarily,
• Make the stored data unavailable to view and use,
• Virtually lock/freeze the devices,
• Alter the test results and other data.
If something like this happens, the healthcare industry doesn’t get more time to respond as each minute is the question of life and death. If the critical IoMT devices stop working, hospitals have to transfer the critical patients to other hospitals, postpone the emergency operations, and cancel the important appointments. In short, healthcare facilities will be in jeopardy if they don’t act fast i.e., to eradicate the attack or pay the ransom. But due to the urgency of the situation, paying ransom often seems an easy way out.
5) Budget Struggles
It's true that the healthcare industry is one of the most revenue-generating ones, but its expenses are huge, too. From paying high salaries to medical and paramedical staff to buying heavy medical devices and supplies, it has to deal with many inflated costs. That's why management often gives less priority to cybersecurity. It involves hiring a security team, CISO, CTO, MDR partners, pen testers or PTaaS providers, VMaaS providers, etc. Plus, you need to buy security tools like vulnerability scanners, firewalls, anti-malware programs, threat detectors, etc. These expenses often seem unnecessary without any measurable ROI. That's why cybersecurity often takes a backseat, making it a soft target for attackers.
There are 10 to 15 million medical devices in U.S. hospitals with an average of 10 to 15 devices per patient! According to Deloitte’s report, medical technology companies manufacture more than 500,000 different types of medical devices and most patient interactions with the health care system involve the use of IoMT devices. The IoMT market will reach $158.1 billion in 2022.
It's a huge and attractive market for hackers. Due to all the above-stated reasons, the healthcare sector's security is already a challenging thing. So, it is easy for attackers to find unpatched vulnerable devices, unsecured internet connections, and open ports connected to IoMT devices to hack them.