By Daniel Norman, Research Analyst, ISF
The healthcare industry has been under immense pressure during the COVID19 pandemic. Staff shortages, lack of medicine, hospital beds and personal protective equipment have pushed the healthcare services to breaking point. In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these threats are expected to accelerate and proliferate the world over as far more invasive and automated technology makes its way into the operating room, the GP’s office and in some cases, the human body.
The healthcare industry is expansive and complex, ranging from hospitals, surgeries, GP services and care homes. Technology has frequently been the answer to historical dilemmas in this industry and the development of smarter technology has been accelerated by the COVID19 pandemic, with the desire for (supposedly) safer and remote working environments being a top priority. Use cases for emerging technology range from adopting AI for diagnostics and imagery in radiology and neurosurgery, remote or autonomous robotics for complex surgeries and implantable IoT devices for managing diabetes or coronary complications.
The dependency on the efficacy of technology has never had this many life-threatening implications before. The healthcare service will become critically depend on technology for decision-making processes, such as leveraging semi-autonomous and autonomous robots during surgeries or IoT devices to pump medicine into the human body. These will be significantly handicapped should systems fail during surgeries or consultations or if robotics connected to poorly secured network are targeted. Attackers will turn their attention to, once again, disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life.
In addition, a large number of care homes in Asia (especially Japan and South Korea) utilize autonomous robo-helpers, which have already been proven to be inherently unsecure. These autonomous devices keep the elderly and vulnerable company, remind them to take their medicine and provide them with a means to communicate to their loved ones. With COVID19 ushering in a new era for remote and social-distanced measures, the adoption rate for robo-helpers to replace humans will accelerate. There are significant privacy concerns, however, if attackers can hack into the helper and coerce the already vulnerable and non-tech savvy individuals into giving up sensitive or financial information.
Additional risks regarding IoT devices embedded in the human body will develop, such as the requirements for patching, software updates, technical replacements and dependency on wireless network connectivity. For example, IoT devices embedded in the brain, heart or other organs will, in the future, be 5G-enabled, meaning that individuals can be monitored completely remotely. Primarily, this raises concerns over being fully dependent upon a 5G network to function but, in addition, there are privacy implications. Embedded devices will track and log users’ geolocation and a plethora of personal and physical information. Attackers already target sensitive healthcare information, and this just adds another element to mix.
The healthcare services have an archaic approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.
This is an exciting time for the healthcare industry but also a dangerous time. As technology-based solutions begin to proliferate, so will the risks and threats associated with them.
Daniel Norman is Research Analyst at the Information Security Forum.