In this exclusive piece, Zachary Amos, Editor of ReHack Magazine, shares his four tips for strengthening remote patient monitoring IoT devices
The Internet of Things (IoT) has transformed monitoring, enabling medical providers to keep tabs on patients from afar. While this evolution is mainly positive, it does have a dark side. Security risks pose a financial threat and put patients at risk. How can decision-makers strengthen security?
Medical IoT devices are vulnerable to cyberattacks
The National Cyber Security Centre and the Department for Science, Innovation and Technology have developed security principles for IoT manufacturers. Therefore, a lack of built-in safety measures is no longer a significant pain point. However, Internet-connected devices remain vulnerable to cyberattacks.
Unpatched software vulnerabilities are a leading attack vector because they’re abundant and easy to uncover. Legacy IoT — systems that are outdated or no longer supported — often have forever-day vulnerabilities. If manufacturers or IT teams don’t address known security weaknesses promptly, attackers can exploit them.
IoT devices are constantly connected to the Internet and each other, increasing their visibility. Bad actors can use Shodan — a search engine for Internet-connected technologies — to seek specific vulnerabilities or patient monitoring tools. Upon finding one, they can exploit them.
Consequently, hackers can view patient health data without authorisation. They could also rope an Internet-connected machine into an IoT botnet to launch other attacks, causing patient monitoring devices to experience speed and performance issues. A distributed denial of service attack would have a similar effect.
Due to the remote nature of patient monitoring tools — and the sector’s widespread reliance on legacy systems — IT teams may be unable to detect a new connection. They likely won’t notice a bad actor tampering with their IoT ecosystem until they’re hit with ransomware or someone reports theirdevice is malfunctioning.
Consequences of cyberattacks targeting IoT devices
National Health Service (NHS) hospitals and private medical institutions aren’t strangers to cyberattacks. Health care facilities continuously adopt new technologies, making management and monitoring more challenging. IT teams can’t keep up with the revolving door of new systems, software and tools, straining their — and patients’ — security and privacy.
IoT vulnerability exploitation enables communication interception, data manipulation, malware injection and system infiltration. Hackers can steal sensitive medical records, maliciously alter device data, launch cyberattacks or move through networks laterally.
Depending on whether patient data is affected, private practices could face regulatory action through the Data Protection Act and General Data Protection Regulation. Patients may initiate legal action to recover damages. In many cases, indirect harm like incident response costs, identity theft and public backlash are a given.
Tips for securing patient monitoring IoT devices
Patients are already wary of NHS data collection — 23% of survey respondents say they don’t want to share information, 14% are concerned about its protection capabilities and 10% are sceptical of its ability to access data. IoT manufacturers and medical providers must secure devices for remote monitoring to succeed and for people to feel secure.
1. Support multifactor authentication
Multifactor authentication requires a second device or account to enable logging in. IoT devices that come equipped with this authentication measure out of the box will be more secure. It makes leaked login credentials useless, rendering unauthorised access attempts ineffective.
2. Encrypt data at rest and in transit
In 2023, 50% of health care institutions in the United Kingdom experienced at least one internal data leak. Since hackers can use medical records, system information and login credentials to launch future attacks, providers should prioritise encryption.
Encryption converts plaintext into ciphertext, turning information into unreadable strings of numbers, letters and special characters. Utilising this tool at rest and in transit keeps patient data safe while processing on IoT devices and when shared with other systems.
3. Audit and review security logs
Remote patient monitoring technologies can generate a massive amount of information daily, making keeping up with security logs challenging. However, IT teams that pay close attention can recognise suspicious activity sooner, enabling a swift incident response.
IT teams that are understaffed or overwhelmed by their current responsibilities — a common theme among many in health care — should consider automating the process. Tools like robot process automation and artificial intelligence can handle security log monitoring.
4. Limit third-party integrations
While third-party vendors make managing and monitoring IoT ecosystems easier, they also open providers up to unnecessary security risks. Decision-makers should limit the number of integrations they utilise. For those they do allow, thorough vetting is critical.
Deploying additional security measures is a must
While regulatory agencies work tirelessly to adapt legislation to cover ever-evolving medical technologies, gaps in their safeguards are inevitable. IoT manufacturers and providers must bridge them to minimise cyberattack-related damages and protect patients.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
