HC3 Warns Healthcare Organizations Of IoT Security Risks

A security advisory alert has been issued by the Health Sector Cybersecurity Coordination Center (HC3) warning organizations in the healthcare and public health industry about the dangers posed by Internet of Things (IoT) devices and has offered suggestions for improving the security of the devices. 

The Internet of Things describes physical devices with software, sensors and other technologies that connect and exchange information with other devices and systems via the internet. There are currently approximately 7 billion devices that utilize IoT. The number of IoT devices is expected to increase dramatically over the coming years. IoT devices are utilized in several industries including industrial, healthcare, and consumer markets. These include devices such as thermostats, cameras, and home security, which can be operated using smartphones or smart speakers like the Amazon Echo. 

Due to the rapid growth in IoT use, concerns have been raised regarding the technology’s privacy and security. Cybercriminals can exploit vulnerabilities to gain access to the data the IoT devices communicate. Cyberattacks can come in the form of Denial of Service (DDoS) attacks, in which an attacker floods a device’s network with internet traffic to prohibit users from gaining access to connected online services and sites. Other cyberattacks include man-in-the-middle attacks, in which the attacker relays and potentially alters communications between two parties who believe they are only communicating with each other. The vulnerabilities within the security of IoT is especially concerning for IoT healthcare devices. Cybercriminals could gain access to the communicated information and inflict harm on the patient.  

In order to reduce risk from IoT healthcare devices, healthcare organizations should implement network segmentation to mitigate the attack surface. If the IoT device operates in connection with standard IT devices and operational technology on the same flat network, hackers could gain access to the organization’s whole network using only one IoT device. Network segmentation divides the network into subnetworks, preventing failures and congestion, and also restricting lateral mobility. This ensures that the hacker of the IoT device cannot gain access to other parts of the network.  

Although it is generally recommended to update default passwords on all devices, IoT devices are frequently provided with factory default passwords. Due to this, malicious actors may be able to penetrate the systems that the devices are connected to by brute force assaults. HC3 recommends organizations to implement unique and strong passwords. IoT device users must also ensure the device is physically secured, otherwise hackers may have the opportunity to install firmware and force the device to download malicious softwares. 

Other HC3 recommendations include avoiding the use of Universal Plug and Play, which can leave office equipment subject to cyberattacks. Organizations have also been advised to update all software and firmware and adopt the zero trust principle, in which access to resources is restricted to a reduced number of individuals who require access to operate.