When Amazon launched as an online bookstore twenty-eight years ago, few would have imagined that patients could one day go to its website to treat their acid reflux. But times change. Amazon just expanded their virtual healthcare marketplace, Amazon Clinic. Across the U.S., customers can now consult with clinicians through virtual calls and get treatment for over 30 types of common health concerns.
It’s outstanding that you can get drops for pink eye without having to leave your home, but Amazon’s new service underscores that healthcare technology opens up serious cybersecurity risks. What happens when the data platform housing your treatment history is exposed in a global breach? And what steps can be taken to prevent this?
Health Sector Trends
Like Amazon Clinic, healthcare IoTs have resulted in enormous innovation. A 2021 NIH study even found that the use of this technology improved healthcare performance during the COVID-19 pandemic.
Major Observations
The pandemic had the effect of making the health sector a target, though. As Check Point, a cybersecurity solutions provider, found in a report, the healthcare sector saw a 69% increase in cyberattacks from 2021 to 2022. This was the highest increase of all the sectors.
A joint report recently released by Health-ISAC, Finite State, and Securin came to similar conclusions. It examined the state of cybersecurity for medical devices and healthcare systems in 2023. The report analyzed credible public disclosures of cybersecurity vulnerabilities, covering 117 medical application vendors and 966 products. 993 vulnerabilities were found in 2023, with 160 of them weaponized. This is a 59% increase from 2022, with 624 total vulnerabilities found in that year.
Cyber Incidents by Category and Product: Health-ISAC, Finite State, and Securin Report
Software applications accounted for 64% of the vulnerabilities found in the joint report, with over 600 total incidents. In the health sector, these applications are indispensable for patients since medical devices like infusion pumps rely on them. Software applications are also used for scheduling and record-keeping, which makes a possible cyberattack all the more destructive.
Hardware, like computers or life support machines, distantly followed at 269 incidents (27%). Operating systems only saw 93 incidents (9%). Nevertheless, vulnerabilities here seriously compromise patient outcomes, cause operational disruptions, and result in non-compliance with data protection regulations.
According to the report, healthcare IT, such as electronic health records and database management, made up 741 vulnerabilities. Spread across 538 products, these vulnerabilities cause serious concerns over patient privacy and sensitive medical data. Data encryption and strict access controls can mitigate some of these risks.
Moderate risk medical devices, such as CT scanners or anesthesia monitoring, came in second at 292 vulnerabilities, according to the joint report. 129 of those vulnerabilities were attributed to medical monitoring/telemetry devices like blood pressure monitors. While there were just two vulnerabilities reported for life-saving devices, the report noted that ransomware poses an increasing threat to healthcare providers. The findings mirror a July EU report on cyber threats in the health sector, which found that ransomware made up 54% of all cyber incidents reported by EU member states and neighbors.
Pivotal Events
The MOVEit Breach
The global MOVEit cyberattack linked to Russian cybercrime group Cl0p is a noteworthy example of these medical breaches. In the U.S., the incident impacted federal government agencies, state agencies, education institutions, and private companies, among other victims. As the full extent of the cyberattack becomes clearer, new exploitations have come to light.
PH Tech, a provider of data management services to health insurers, released a notice confirming they were impacted by the incident. A hacker used the corrupted MOVEit software to access files consisting of personal information and some private health records. This includes member ID numbers, social security numbers, and claim information.
Following the incident, the Oregon Health Authority issued a bulletin stating that members of the Oregon Health Plan, which uses PH Tech, were among those affected by the breach, totaling 1.7 million people.
The Illumina Recall
One serious incident came in April when a critical vulnerability affecting the universal copy service in Illumina sequencing instruments prompted the U.S. Food and Drug Administration to issue a class 2 recall of the DNA genetic testing instruments.
While no known exploitations occurred, the vulnerability could have allowed a threat actor to take control remotely, alter settings and configurations, breach data, or even impact genomic data results. That last possibility would have been catastrophic to patients relying on those results for medical treatment, conjuring up images of the Theranos scam. Illumina developed a software patch to solve the problem.
The Cybersecurity and Infrastructure Security Agency became involved once Illumina reported its vulnerabilities to the agency. It released an advisory of its own, recommending that users minimize network exposure for all control systems/devices, isolate remote devices behind firewalls from business networks, and use VPNs.
Government Action
New FDA Guidance
A key government action was seen in late March when the FDA published new guidance which requires medical device makers to meet certain cybersecurity requirements when submitting new product applications. Companies are to submit a plan detailing their monitoring plans for cybersecurity incidents; maintain a reasonable level of cybersecurity by offering updates and software patches after release; and provide a software bill of materials.
The White House and Congress
A Biden administration initiative could have an even greater impact on healthcare IoTs. The Federal Communication Commission’s cybersecurity labeling proposal would apply a cybersecurity safety logo to devices that meet standards defined by the National Institute of Standards and Technology. Devices include smart refrigerators or thermostats, but also glucose monitors or pacemakers. The goal here is to provide more consumer transparency to help people choose products better secured from cyberattacks. The program also provides incentives for companies to improve their cybersecurity practices since labeled products are likely more marketable.
Congress is playing a role in the push to secure IoT devices as well. For example, Congresswoman and founder of the House IoT Caucus, Suzan DelBene (D-WA), introduced the IoT Readiness Act of 2023 in February. The act would require the FCC to track data on the use of IoT devices to identify the level of electromagnetic spectrum required to meet the demand generated by such use. The FCC would also have to submit reports on this data to Congress every two years.
The Path Forward
Healthcare IoT devices have revolutionized patient outcomes and have a potential for significantly advancing the monitoring, diagnosis, and treatment processes across the health sector. However, they are especially susceptible to exploitation in this environment. The impacts of cyber incidents are no more profound than here since patients rely on life-supporting medical treatment and confidentiality. The path forward requires a diverse approach, with special attention paid to the growing ransomware threat. Companies will bolster their threat intelligence practices and regularly update software; government agencies will issue apt guidelines and regulations; and the public will become more informed consumers.
