The EU through the ENISA (European Union Agency for Network and Information Security) has created a report that studies the IoT security challenges in hospitals. This move shows that the union is interested in getting a specialist perspective on the healthcare security problems that have plagued not only member states, but also international companies, institutions and organizations.
The EU Is Concerned About Healthcare IoT Security
The European Union has shown that it has an active interest in strengthening the security environment when it comes to critical applications of the various IoT (Internet of Things) devices. The European Union Agency for Network and Information Security (ENISA) has created a detailed study which has analyzed in details more than 10 hospitals across the whole union which presents the current threat and the IoT infrastructure ecosystem that these institutions use. The case study gives a detailed overview of the most important issues that security experts face.
The contained data showcases things that we have mentioned numerous times before – the fact that ransomware attacks are becoming more aggressive against Healthcare institutions and the increased activity of the bigger DDOS campaigns. These two threats alone can seriously disrupt critical operations of major hospitals around the world.
The fact that hospitals worldwide are inclined to use advanced technology solutions like remote medical care increases the likelihood of potential internet assaults. The hackers know that hospitals are easy targets because most of them do not have the sufficient budget to support an up-to-date security defense strategy. As a result data breaches have become common around the world. Patient data and other sensitive information are often compromised in the hacker attacks which lead to serious privacy issues.
The study places an emphasis on the fact that hospitals are becoming a much more complex and IT-fueled instituion defined as “smart hospitals”. The working definition that the ENISA specialists is the following:
“A smart hospital is a hospital that relies on optimised and automated processes built on an ICT environment of
interconnected assets, particularly based on Internet of things (IoT), to improve existing patient care procedures
and introduce new capabilities”.
As such they employ advanced technological devices and platforms to ease their primary healthcare functions. There are several important asset types which must be well-protected against hacker attacks and intrusions:
- Medical equipment for tele-monitoring and tele-diagnosis(e.g. measurements of blood pressure, heart rate,
glucose measurements, ECG and other remote physiological measurements, threshold-triggered alarm
- Medical equipment for distribution of drugs (automated dosing equipment) or to administer treatment
- Telehealth equipment, such as cameras, sensors and telephone/internet connections; telehealth computer
system for patients to register their physiological measurements themselves (including patient-side
application/software if applicable)
- Network medical devices such as wearable external devices and implantable devices
- System identification devices such as biometric scanners and smart badges
- Backend networking equipment
- Mobile client devices and applications
- Interconnected clinical information systems, the used data and all critical infrastructure
Healthcare IoT Threats and Attack Scenarios
The IoT security threats that have been identified by the ENISA experts fall under several categories:
- Malicious actions – they describe hacker attacks that include the spreading of malware such as worms, Trojans, viruses, rootkits and using various exploit kits to locate software vulnerabilities which can be used to hack into specific web sites, applications or appliances. The researchers have specified that this field also includes hijacking attacks, tampering with medical devices and all forms of social engineering attacks. Financial crimes such as skimming and DDOS attacks are also addressed here.
- Human errors – this includes all mamnners of medical system configuration errors, unauthorized access control, non-compliance with security policies and physician and/or patient errors.
- System Failure – These are critical incidents which include software failures, inadequate firmware, device failure, network components failure, insufficient maintenance, overload and breakdown of communication between IoT and non-IoT
- Supply chain failure – they usually are outside of direct control of the affected organization and include failures with cloud service providers, medical device vendors, power suppliers and network providers .
- Natural phenomena – Earthquakes, floods and fires are included in this category
Detailed attack scenarios and in-depth analyses are a key feature of the ENISA report.
The EU ENISA Executive Summary of the Healthcare IoT Threats
In recent years, many pervasive systems for healthcare have been proposed, discussed and sometimes realised. Pervasive healthcare is highly multifaceted, with many applications focusing on interoperability with the legacy hospital assets, the “traditional hospital”, the security and privacy of sensitive information and the usability of end users. The notion of smart hospitals is introduced when Internet of Things (IoT) components are supporting core functions of a hospital. Collaboration among various stakeholders, numerous interconnected assets and high flexibility requirements do not only lead to complexity and dynamics but also to blurred organisational boundaries. Due to the great number of significant assets at stake (patient life, sensitive personal information and financial resources) information security is a key issue for smart hospitals.
Threats to smart hospitals are, however, not limited to malicious actions in terms of their root cause. Human errors and system failures as well as third-party failures also play an important role. The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices. With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant. Relevant technical measures include network segmentation, asset and configuration management, and network monitoring and intrusion detection. However, manufacturers of information systems and devices used in smart hospitals have to take certain measures too. Among them are, for instance, building security into products from the outset, adopting secure coding practices and extensive testing.
Based on the analysis of documents and empirical data, and the detailed examination of attack scenarios found to be particularly relevant for smart hospitals, the study proposes key recommendations primarily for hospital executives. Namely hospitals should:
- Establish effective enterprise governance for cyber security Implement state-of-the-art security measures
- Provide specific IT security requirements for IoT components in the hospital
- Invest in NIS products
- Establish an information security sharing mechanism
- Conduct risk assessment and vulnerability assessment
- Perform penetration testing and auditing
- Support multi-stakeholder communication platforms (ISACs)
The study also makes recommendations for industry representatives in order to enhance the level of information security in smart hospitals. Namely industry players should:
- Incorporate security into existing quality assurance systems
- Consider applying medical device regulation to critical infrastructure components
- Support the adaptation of information security standards to healthcare
Involve third parties (healthcare organisations) in testing activities
For more information you can read the whole report from ENISA’s site.