Page 183 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 183
CYBER-SAFETY IN HEALTHCARE IOT
1
Duncan Sparrell
1 sFractal Consulting, United States
ABSTRACT from ancillary to safety critical. IAmTheCavalry.org was
founded to focus on the intersection of computer security and
Healthcare is becoming more connected. Risks to patient and public safety. “IoT is where bits and bytes meet flesh and
public safety are increasing due to cybersecurity attacks. To blood” [12].
best thwart cyberattacks, the Internet of health things (IoHT)
must respond at machine speed. Cybersecurity standards 2. THREATS
being developed today will enable future IoHT systems to
automatically adapt to cybersecurity threats in real time, Over 90% of healthcare institutions have been attacked [13].
based on a quantitative analysis of reasonable mitigations The impact of failed security is increasing as well. At the
performing triage to economically optimize the overall RSA Conference USA in 2018, hackers “killed” (simulated)
healthcare outcome. This paper will discuss cybersecurity patients without the doctors even being aware the operating
threats, risk, health impact, and how future IoHT room (OR) had been hacked [14]. Marathons affect patient
cybersecurity systems will adapt to threats in real time. care due to the ambulance delays (due to rerouting around
the marathon) resulting in a statistically significant increase
Keywords – Cyber-safety, healthcare, Internet of things in the 30-day mortality rates [15]. If people died due to a 4.5
minute average increase in the length of the ambulance ride,
1. INTRODUCTION then it seems logical that people died in the massive hospital
ransomware-caused outage in the UK [16] as well as other
If “software is eating the world”[1], then the Internet of hospital attacks such as Hollywood Presbyterian where
things (IoT) is blanketing the world. International ambulances were rerouted to other hospitals in LA traffic [17]
Telecommunication Union (ITU), Recommendation ITU-T or similar events in other hospitals [18-22].
Y.2060 defines an IoT device as a “piece of equipment with
the mandatory capabilities of communication and the Attackers make use of automation, resulting in attacks
optional capabilities of sensing, actuation, data capture, data occurring at the speed of light; yet defense occurs at the
storage and data processing.” [2]. This paper defines the speed of lawyers. Obviously, lawyers need to be involved.
Internet of health things (IoHT) as all ITU-T Y.2060 IoT Lawyers should be consulted a priori so they are not needed
devices used in healthcare and ambient assisted living [3]. to be consulted during the attack. To do this requires
This definition is broader than implantable medical devices anticipating the possible attacks and responses. “Think evilly
and includes: care, diagnostic, ambient-assisted and but act ethically” [23].
administrative devices, since they all could potentially affect
patient health if exploited. “While advanced devices can IoHT designers must take into account attacks that will be
offer safer, more convenient and timely health care delivery, part of a well-funded, well-staffed campaign to achieve a
a medical device connected to a communications network particular mission. The mission may be against the owner of
could have cybersecurity vulnerabilities that could be the IoHT (e.g. the healthcare provider), the IoHT may be an
exploited resulting in patient harm.” said Amy Abernethy, attack vector against another entity (e.g. the healthcare client
M.D., Ph.D., the United States (US) Food and Drug either as an individual, or as group such as military
Administration (FDA) principal deputy commissioner [4]. personnel).
IoHT is the merging of the information technology (IT) Looking at real-world non-cyber failures and disasters gives
world with the operational technology (OT) world to bring great insights into what an attacker could do. As an example,
about increased innovation, efficiency and quality of there were 8 failures that led to the Deepwater Horizon / BP
healthcare [5-11]. oil spill in the Gulf of Mexico [24]. Seven of the 8 problems
were with actuators, sensors or decision algorithms, all
As IoT pervades the healthcare industry, cybersecurity in failures that could also be caused by a cyberattack. Even the
th
IoHT must evolve both to recognize new threats but also to 8 cause, faulty cement, could be caused by a supply chain
recognize different consequences i.e. impact on patient attack. The analysis does not have to be of mega-disasters. A
health. This paper will discuss trends that when combined similar analysis could be done of the typical failures in
will make IoHT safer and demonstrate the important role almost any manufacturing process, or to any medical
cybersecurity standards will play as cybersecurity evolves simulation. This points out the need for domain-specific
978-92-61-28401-5/CFP1968P-ART @ ITU 2019 – 163 – Kaleidoscope
