I’ve been hanging around with folks during the past week that are thinking about healthcare IoT and security, and it’s pretty grim. I’ll write more on this in the future, but for now, here are a few things that should concern everyone.
I spoke with a security researcher and two hospital CISOs this week who all said they have gear running Windows ME or even Windows 95. Those two operating systems haven’t been patched in years. Yet, in hospitals around the country, infusion pumps, MRI machines and other essential patient gear are running operating systems that have absolutely no support.
Hospitals are now targets for hackers, generally those disabling access in exchange for a ransom. But as any security expert can tell you, these same vulnerabilities could easily be exploited not just for profit, but also to wreck havoc.
Attacking infusion pumps could dump 12 hours worth of medicine into a patient all at once, possibly killing her. A hacked MRI might lead to an essential piece of equipment going offline.
This is the stuff keeping hospital CISOs up at night. For security pros in factories, cities and other areas deploying connected devices, it offers a strong indicator of how essential good IT security will be to their own deployments.
The problems at hospitals stem from several factors other industries also face. There is a rush to connect devices with an eye to improve overall outcomes and lower costs. Their equipment has to last for 15 or 20 years. It’s highly regulated. Profits in many hospitals are razor thin. Technology is not a core expertise. In fact, in small and rural hospitals, a tech expert may not even be on staff.
Any one of these factors will make life for a CISO or someone charged with IT security inside a hospital difficult. All of them combined make the job seem impossible. And yet, it’s not a problem that can be ignored because the stakes are so high.
Many of these same dynamics play out in other industries such as power generation and delivery, automotive, and smart cities deployments. Right now there is a failure to consider security, longevity of support, and a regulatory framework that meets the needs of an interconnected network of connected devices. But we’re adding things to the internet even so.
The healthcare industry is showing us how dangerous that really is.