The Health Sector Cybersecurity Coordination Center (HC3) has posted a security notification cautioning the healthcare and public health industry regarding the risks related to Internet of Things (IoT) devices as well as suggestions for strengthening IoT devices’ security.
The Internet of Things (IoT) pertains to physical gadgets that have the functionality to swap data or link to other gadgets online. Presently, there are approximately 7 billion gadgets that are linked via IoT. The use of IoT devices is likely to grow to 20 billion devices globally by 2025. These gadgets have sensors that gather data and connect online and consist of a broad range of “smart” appliances like TVs, washing machines, Amazon Echo devices, doorbell cameras, wearable devices, and voice controllers. IoT devices are employed in industrial fields and a lot of medical devices employ IoT. Although there were significant improvements in IoT technology nowadays to make the technology less expensive and readily available, the primary architectural levels have mostly stayed the same and there is increasing concern that the devices can give a quick access point into healthcare systems.
The Threat of Cyberattacks Taking Advantage of Weak IoT Security
There is increasing concern about the safety of IoT and the threat of cyberattacks taking advantage of IoT vulnerabilities. These attacks can be launched as distributed Denial of Service (DDoS) attacks, which send massive traffic to IoT networks to avert communications. Threat actors target IoT devices to include them to botnets for performing massive DDoS attacks on web apps.
Man-in-the-middle attacks may happen, where bad actors bug on legit communications and steal sensitive information or tinker with communications. As with software programs, bad actors may identify vulnerabilities that could be exploited to acquire unauthorized access to the gadgets. In the healthcare sector, IoT medical devices may be accessed, the capabilities of the devices altered to harm patients, or sensitive patient data can be stolen.
Although it is a common security practice to alter all devices’ default passwords, IoT devices usually keep factory configurations, which include default passwords. Therefore, devices become at risk of brute force attacks, which can allow threat actors to access the systems connected to the devices.
When IoT devices aren’t physically secured, they can be meddled with or installed with malware. The software on the devices could be hijacked by forcing updates and doctored software, malware, or malicious drivers will be downloaded.
How to Reduce Threat from IoT Devices in Healthcare
The high percentage of usage of IoT devices in healthcare has increased the attack surface significantly, providing threat actors a bigger selection of devices to attack to obtain access to healthcare systems. In case healthcare companies have a flat system, where IoT devices, standard IT devices, and operational technology (OT) are all on a similar network, getting access to an IoT device can enable a threat actor to move side to side and gain access to all devices linked to the network. This is a big security threat, particularly with the comparably insufficient security on IoT devices.
One important action to take to enhance security is to have network segmentation to lessen the attack surface. Network segmentation requires dividing the network into zones or subnetworks. This can minimize congestion and restrict failures. It also confines lateral movement. Whenever a compromise of an IoT device happens, it cannot be employed for accessing other areas of the network.
HC3 recommended the following actions to reduce the threat from IoT devices:
- Modify default configurations – Default configurations on routers must be modified together with the privacy and security configurations on every IoT device.
- Do not use Universal Plug and Play (UPnP) – UPnP can make office equipment susceptible to cyberattacks.
- Use strong passwords – Default passwords ought to be modified, and a unique, strong password must be employed for every device to minimize the chance of brute force attacks.
- All software programs and firmware must be updated. The most recent releases offer fixes for active exploits and vulnerabilities.
- Follow zero trust – Follow the zero trust principle. This means nothing is inherently trustworthy, even when it is inside the network. Restrict access to resources to a few people who need access to carry out their job responsibilities.