One of the fundamentals of life is the tension between convenience and safety. We can see this in so many areas of life – fast food is convenient but unhealthy, crossing at the traffic lights would mean walking an extra 50m in the wrong direction, the television or tablet makes a great nanny to let busy parents get stuff done, but at what cost? The same can be said of companies – but here the tension is often between safety and speed of production, or safety and profitability. And consumers, in their turn, encourage such thinking by prioritizing extra features or a cheaper price over fundamental safety and security concerns.
This is the world in which the Internet of Things (IoT) has developed. One where security is rarely given a high priority. As Paul Vixie, Founder and CEO of Farsight Security, puts it, “IoT devices will have short product cycles, low margins, fast time-to-commodity, fast time-to-obsolescence, and large volumes. This leads to a perfect "zero-QA" storm”.
This tendency may be tenable in some areas of life, but as we watch the burgeoning industry of e-health develop, the question arises as to whether we really want our future health systems to be plagued with the kinds of problems that our PCs have suffered from for decades. In a world where we are becoming more and more dependent on connected services, connected infrastructure and now connected health services, it is imperative that the devices which are making those connections are secure enough to ensure both our safety and our security.
E-health: a lifeline, or putting life on the line?
E-health as an industry is still in its infancy, but the development is picking up speed rapidly. What started with the digitization of health records has now developed to encompass connected medical systems like remote ECGs, portable insulin pumps or other drug administration, implants like pacemakers, and life support machines, to name but a few of the applications. This is an exciting development, which can lead to far better, less invasive, treatment of a range of conditions, and the ability, for example, for older people in need of care to retain an autonomous lifestyle in their own home for as long as possible. The future for e-health is bright. But there are a few issues which need to be sorted out first.
When we think about e-health and IT security, perhaps the most telling examples of cyber attacks are those involving self-driving cars. Here, communities are demanding safety – both in terms of the capacity for the machine to make a mistake and for the machine to be abused by a hacker. If that is the case for a car, should it not also be the case for a hospital? And less sensational, but also a matter for concern, what happens when there is a data breach of medical records?
Who wants your medical data?
Let’s take a look at one seemingly innocuous device worn by millions around the world today: the fitness tracker. These devices record information about your biometrics, about the amount of exercise and sleep you get and your general condition. They also track your location. Combined with a calorie counter, they know pretty much everything you do in a week. And who other than you would be interested in this data? Well, there’s your health insurance company, for starters. Why else are they subsidizing the purchase of these devices? This data will give them a clear idea of how expensive a risk you may become, allowing them to charge you higher insurance premiums – meaning that they can place a monetary value on acquiring this data.
But as Maik Morgenstern from AV-Test points out, they’re not the only ones with an interest in your health: your bank may decide that you’re a bad risk on a long-term (or even a short-term) loan. Potential employers have an interest in knowing whether they are taking on a worker who will become a liability. And that’s only thinking about the legitimate data – what happens if a hacker threatens to manipulate your data to make it appear worse?
So, back to the fitness tracker. Peter Meyer, Head of Cyber Security Services at eco – Association of the Internet Industry, sees the need for international standards and certifications in IT security for the Internet of Things. This may solve the future problem, but as he says, it could well take a decade to become established. In the meantime, Statista set the shipments of healthcare wearables worldwide for 2015 at 34.25 million units. And according to IDTechEX, the worldwide market for wearables in 2017 will amount to approximately $35 bn, expected to rise to $150 bn in the next decade. These devices are being shipped without certification, and according to Peter Meyer, it may not even be possible to change the factory-set password for some of these, let alone take stronger security measures.
But looking at the burgeoning e-health industry, fitness trackers really are just the tip of the iceberg. Hans-Peter Bauer from Intel Security says that hackers are increasingly attacking the medical industry, and large caches of stolen medical records are being made available for purchase – for between $0.03 and $2.42 per record. “Unlike financial data, such as card numbers” he comments, “once medical or personal information is released to the public, it cannot be changed or replaced.” What’s more, he goes on to say that “cybercrime-as-a-service has become a normality in the cybercrime community, which is further helping the spread of such attacks. You do not need to be a proficient hacker to launch an attack, because cybercriminals support each other (for a price). Intel Security has identified cyber gang services available for hire specifically for the purpose of attacking health care organizations.”
Strengthening smart hospitals
The European Union Agency for Network and Information Security (ENISA) published a report in November 2016 on “Smart Hospitals – Security and Resilience for Smart Health Service and Infrastructures”. It lists the potential attack scenarios for smart hospitals as: social engineering attacks on hospital staff, tampering with medical devices, theft of hospital equipment, ransomware attacks on hospital information systems, and DDoS attacks on hospital servers. The list of actual cyber security incidents that have so far affected hospital operations includes a monitoring system being taken offline by a virus and an automated medication dispensing system being infected with malware. This makes it clear that it’s not only medical data which is at risk, but the entire operation of e-health services.
Dirk Kunze, Head of the Cyber Crime Competence Center for the State Police of North Rhine Westphalia, in Germany, admits that attacks against hospitals are among the incidents that give him sleepless nights: “Nearly one year ago, we had an attack [on] the Neuss hospital, where the hospital had to shut down nearly every single computer, every server, the whole IT infrastructure, and it wasn’t able to work. It’s a highly sophisticated hospital with no paperwork – everything is done electronically... So, if it's an emergency response hospital, and it has to refuse heart-attack patients and they have to travel thirty minutes farther to go to hospital, and they die because of that, then we are dealing with murder.”
Apart from strengthening the IoT devices themselves, Maik Morgenstern, who contributed to the ENISA study, recommends that it is important to “consider the overall security infrastructure: This should be hardened and improved so that an insecure device will not break the security of the whole hospital.” He goes on to say that it is essential that “even a smart hospital has to be designed so that all crucial tasks can still be performed without any of these smart or IoT devices ... All of the tasks that are performed with smart devices do require some sort of emergency plan, so that the most important tasks can still be carried out”. And it’s not only hardening the hospital-internal infrastructure that’s important, but also the networks through which data is being transported, according to Jeroen van de Lagemaat from NDIX – who recommends Ethernet communication platforms for the sharing of critical data between user communities, such as hospitals, medical services and emergency services of a given municipality, or even between municipalities.
Making the connected world safer
For Matteo Cagnazzo from if(is) and Markus Hertlein of XignSys, the focus is in the other direction – looking at how devices can be secured using multi-factor authentication and encryption to ensure only authorized personnel can get access to patient data. Cagnazzo also grapples with another health phenomenon of the modern world – the ageing population. “Familial bonds,” he explains, “are not as strong as they used to be – especially if you take a look at rural areas, where the younger people might go to the city and only the older people are staying in the rural part of the country – that’s something which has changed, and we need new approaches to elder care.” He offers insight into the if(is) ambient assisted living project Zelia, where the approach to monitoring of elderly patients is designed to be as un-invasive and secure as possible, tracking energy consumption rather than focusing on biometrics.
The eco Association is also contributing to an ambient assistant living project, Smart Service Power, which puts emphasis on data sharing and the participants’ access and control over their own data. eco will be providing the legal opinion for data privacy and data protection, and Dr. Bettina Horster, Director of Mobile at eco and Board Member at Vivai Software AG, says of the project: “Data autonomy is absolutely vital to us. While certifications can be a useful mechanism for ensuring security, the duration of such processes makes them less attractive for us. Time is of the essence in the development of innovative products and services. As a result, we see encryption as an excellent way of maintaining data security, without slowing the development process down excessively.”
Alexander Schlager from Verizon provides tips for securing the IoT ecosystem, looking at the layers from the network, applications, hardware, and physical security and on to the staff – be that of a hospital or an enterprise – commenting: “As use of IoT solutions become more wide spread within businesses ranging from healthcare and manufacturing, to energy and utilities, they will become core business enablers, and as such, the security of these elements should become a core business initiative and form a fundamental part of a businesses’ comprehensive security strategy.”
With e-health still in its infancy, and the Internet of Things behaving like an unruly pre-schooler, it is clear that a strong parental hand is needed to ensure they can develop safely. Such developments will, when achieved, benefit society as a whole; and it will require society as a whole – enterprises, service providers, hardware manufacturers, software vendors and end consumers alike – to join forces on securing this future.