HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HC3 Warns About Risks of IoT in Healthcare

The Health Sector Cybersecurity Coordination Center (HC3) has published a security advisory warning the healthcare and public health sector about the risks associated with Internet of Things (IoT) devices and has made recommendations for improving the security of IoT devices.

The Internet of Things (IoT) refers to physical devices that have the capability to exchange data or connect to other devices over the Internet. Currently, there are around 7 billion devices that are connected through IoT, and IoT device use is expected to increase to 20 billion devices worldwide by 2025. These devices use sensors to collect data and communicate over the Internet and include a wide range of “smart” appliances such as TVs and washing machines, doorbell cameras, Amazon Echo devices, voice controllers, and wearable devices. IoT devices are used in industrial settings and many medical devices use IoT. While there have been major advances in IoT technology in recent years to make the technology cheaper and more accessible, the main architectural layers have largely remained unchanged and there is growing concern that the devices could provide an easy entry point into healthcare networks.

Risk of Cyberattacks Exploiting Weak IoT Security

There is growing concern over the security of IoT and the risk of cyberattacks exploiting IoT vulnerabilities. These attacks could take the form of distributed Denial of Service (DDoS) attacks, which flood IoT networks with traffic to prevent communications. IoT devices are being targeted by threat actors to add them to botnets for conducting large-scale DDoS attacks on web applications.

Man-in-the-middle attacks can occur, where bad actors eavesdrop on legitimate communications and steal sensitive data or tamper with communications.  Just as with software solutions, vulnerabilities can exist that can be exploited by bad actors to gain unauthorized access to the devices. In healthcare, IoT medical devices could be accessed, the functions of the devices changed to cause harm to patients, or sensitive patient information could be stolen.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While it is a standard security best practice to change default passwords on all devices, IoT devices are often left with factory settings, including default passwords. This makes the devices vulnerable to brute force attacks, which can give threat actors access to the networks to which the devices connect.

If IoT devices are not physically secured, they could be tampered with or have malware installed. The firmware on the devices can be hijacked by forcing the devices to perform updates to download doctored firmware, malicious drivers, or malware.

How to Minimize Risk from IoT Devices in Healthcare

The high rate of adoption of IoT devices in healthcare has widened the attack surface considerably, giving bad actors a much broader range of devices to attack to gain access to healthcare networks. If healthcare organizations have a flat network, where IoT devices, standard IT devices, and operational technology (OT) are all on the same network, gaining access to an IoT device could allow a threat actor to move laterally and access all devices on the network. This is a major security risk, especially considering the relative lack of security on IoT devices.

One of the most important steps to take to improve security is to implement network segmentation to reduce the attack surface. With network segmentation, the network is divided into subnetworks or zones. This can reduce congestion and limit failures, but also limits lateral movement. If an IoT device is compromised, it cannot be used to access other parts of the network.

HC3 makes several other recommendations for reducing the risk from IoT devices.

  • Change default settings – Default settings on routers should be changed along with the privacy and security settings on all IoT devices.
  • Set strong passwords – Default passwords should be changed, and a unique, strong password should be used for all devices to reduce the risk of brute force attacks.
  • Avoid Universal Plug and Play (UPnP) – UPnP can leave office equipment vulnerable to cyberattacks.
  • Update all software and firmware – All software and firmware should be kept up to date. The latest releases have fixes for vulnerabilities and active exploits.
  • Adopt zero trust – Adopt the principle of zero trust, which means nothing is inherently trusted, even if it is within the network. Limit access to resources to the small number of individuals who require access to perform their work duties.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.