Telehealth: What's at stake from a security standpoint?
In the face of the ongoing public health crisis, telehealth is experiencing an explosion in demand. And with this demand, there is no doubt that hackers will try to take advantage of a chaotic situation.
According to Natali Tshuva, CEO of IoT security company Sternum, more and more hackers are likely to target remote monitoring and medical devices, which could be dangerous, even lethal, for users.
I discussed what's at stake for telehealth with Natali. Her answers are both frightening and, hopefully, galvanizing for those concerned with data security.
GN: Explain the trial by fire telemedicine and telehealth are going through right now. What are the challenges of rapid adoption?
Natali Tshuva: We are clearly seeing an explosion in demand for telehealth and other digital health technologies in light of the COVID-19 pandemic. Public health officials are requiring everyone to stay home, including those that are sick or the "worried well," and at-home medical devices enable them to do so while helping to keep health systems from being overrun. Hospitals and health providers around the world are also rapidly integrating digital health technology as well to treat COVID-19 patients as best as possible without furthering the spread of the virus. The bottom line is that medical IoT (IoMT) devices are quickly becoming the solution, but that brings a host of challenges, especially on the security front.
There are many challenges to rapid adoption, including user accessibility due to lack of internet, insurance coverage, etc. But my biggest concern is security. While hospitals have continued to make stringent efforts to ensure security of their networks, particularly following notable ransomware attacks in the past few years, individual devices, at-home patient monitors, and remote-care devices have no embedded security and remain vulnerable. Such remote devices even lack the network security a hospital can provide for them if they were in a controlled environment. Therefore, developing real-time security for traditional IoT devices with increasingly more connectivity remains a major challenge for manufacturers seeking to rapidly deploy.
GN: What's at stake here from a security standpoint? What makes this tech particularly important to safeguard against breaches?
Natali Tshuva: To put it simply, human lives often depend on these devices and a successful attack could prove damaging to health or even deadly.
It's clear that cyber-criminals have shown no sign of slowing down malicious activity, despite the ongoing pandemic. We recently saw hackers attempt to infiltrate the US Health and Human Services Department, as well as send out fake text messages claiming a national quarantine was taking place. We also continue to see hackers actively attack hospitals, demanding ransom from dozens of medical institutions working on solving Corona, and targeting critical healthcare facilities across the globe. Now, as public health officials and health systems push telehealth in multiple countries, we are bound to see hackers target these devices more frequently.
The prospect of malicious actors targeting connected medical devices is terrifying for a number of reasons. Besides the fact that such attacks could be lethal, hackers can infiltrate these devices to steal personal health information (PHI) from users, demand ransom from devices manufacturers, or even use these vulnerable devices as potential gateways to infiltrate larger networks.
GN: What kinds of security attacks do you anticipate? What kinds of devices or protocols do you think are most vulnerable?
Natali Tshuva: There are a multitude of attacks hackers may attempt. They may perpetrate a ransomware attack, for instance, where they would effectively take control of a remote care device and demand money from the manufacturer in exchange for a return to normal operation. They could also infiltrate a device to steal a patient's PHI. Given that many of these devices contain a patient's vital and confidential health information, a breach could be quite consequential for both the user and the healthcare provider alike.
Any connected medical device could be at risk. This includes remote monitoring devices, pacemakers, insulin pumps, implanted defibrillators, glucose monitors, just to name a few. All it takes is one vulnerability, and to complicate this even further, it doesn't even need to be a manufacturer's vulnerability. Take "SweynTooth" for instance, which allows a hacker to suddenly stop an IoT device from working by exploiting a Bluetooth vulnerability in third-party code. The FDA warned of devices being at risk given this vulnerability alone, including the ones I just mentioned, and even larger devices in healthcare facilities such as ultrasound devices or monitors.
GN: How can we balance the need to rush telemedicine into existence with the need to keep patient data safely?
Natali Tshuva: The rush to cybersecurity should be as fast as the rush to telemedicine. Device manufacturers need to commit to true on-device protection, which is especially urgent as we face this pandemic. Because it takes the hack of only a single IoT device to risk potentially catastrophic damage, true IoT cybersecurity protection requires OEMs to implement solutions that protect individual devices, not just networks. PHI is only as secure as the weakest device, and the fast growth in medical IoT is only increasing the risks.
GN: What are some best practices for consumers who may now utilize telehealth?
Natali Tshuva: Consumers should continue to use telehealth and follow instructions from medical professionals as well as those from the manufacturer. Our job at Sternum is to make sure that all medical devices are as secure as possible, and we are working with device manufacturers to help them implement best-in-class cybersecurity on each and every device so consumers stay safe and healthy.