Interview: Natali Tshuva, CEO and Co-Founder, Sternum

The healthcare industry has been increasingly targeted by cyber-criminals over recent years, and this has been exacerbated since the start of the COVID-19 pandemic. The highly sensitive nature of the work undertaken by hospitals and research labs makes them lucrative targets for tactics like ransomware, while the often heavily interlinked IT systems and vast range of machinery and devices can make them more vulnerable to being hacked, especially in periods of high stress and pressure for staff.

The explosion in the use Internet of Things (IoT) devices to help treat and manage a variety of medical conditions is adding to healthcare cybersecurity fears, with attacks on these appliances potentially having fatal consequences. To discuss this emerging issue and how organizations should mitigate threats to healthcare IoT devices, Infosecurity caught up with Natali Tshuva, CEO and co-founder of IoT cybersecurity company Sternum.

To what extent have we seen the use of connected devices in hospitals and healthcare institutions grow over recent years, and how do you anticipate this will increase in the future?

We all know that technology touches every aspect of our lives. As we’re aiming to improve our quality of life and life expectancy, medicine is relying more and more on IoT technology. Devices such as pacemakers, insulin pumps and remote monitoring are just some of the many examples of such usage. 

A recent report indicated that there are 161 million IoMT devices in use today, and that number is only expected to grow in the coming years. Of course, with the use of this technology, and billions of new devices expected to enter use, the threats of cyber-attacks also increase.

In what ways are these kinds of connected devices vulnerable to being hacked?

Every device connected to a network is vulnerable to attack. There isn’t a device out there that can’t be hacked. This is even truer when we talk about medical devices as they are very different from traditional PCs/servers. Many of them were built many years ago with no security in mind, and due to the unique characteristics and requirements of those devices (low resource usage and real time, embedded software), even new devices are lacking proper security controls. 

Exploiting these vulnerabilities can result in collecting personal health information (PHI), gaining access to a hospital’s network, holding it hostage via ransomware and even causing a medical device to malfunction, which could lead to harming a patient. 

“Perhaps an even more chilling application of one of these vulnerability exploitations is when a woman hacked her own pacemaker”

Perhaps an even more chilling application of one of these vulnerability exploitations is when a woman hacked her own pacemaker. Through the process, she identified five key vulnerabilities, all of which can be exploited and allow a cyber-criminal to hack a device. 

To what extent are cyber-criminals using connected medical devices to serve as gateways for hackers to infiltrate hospital networks?

It is highly likely that cyber-criminals are utilizing connected medical devices to infiltrate larger networks. The multiple IoT devices connected to a hospital network containing minimal security are bound to serve as the gateways of choice for hackers seeking the easiest way in. Once an attacker is inside these connected devices, they are just a few steps away from gaining access to a hospital network. It’s all about manipulating lines of code and altering memory functionality; this will ultimately lead the attacker to having some access to the bigger network that the device is connected to. 

What are the main security issues within healthcare organizations that leave these kinds of devices vulnerable to attack?

As mentioned, if you leave one part of your network unprotected, no matter how small or insignificant it looks, it can ultimately affect your entire network. Providing security only at the network level isn’t sufficient, as these methods cannot prevent the exploitation of edge devices. Once hacked, the attacker has full control over how those devices behave, which in many cases leads to the ability to avoid anomaly detection and network security controls. 

Only a true, embedded security solution can mitigate these security threats and offer the first line of defense and early detection against attacks. 

How would you advise healthcare organizations to enhance the protection of IoT devices?

If we were to learn from enterprises that have been dealing with these kinds of threats for many years now, one thing becomes clear: they all implement both network security and endpoint security as multi-layered protection. 

Our recommendation is no different to healthcare organizations, only in their case, edge devices are mission-critical, and so require endpoint protection even more urgently. To truly protect your network, you must protect the IoMT devices within. On-device, embedded security that is capable of preventing threats in real time and offers alerts and early detection from within endpoint devices is an essential part of the overall security envelope of an organization and comprises the two essential layers of healthcare organizations. 

This is also an opportunity for medical device manufacturers – they can be the ones capable of providing these capabilities to healthcare organizations and enhance their visibility and security from the get-go. 

We have seen a growth in guidance and regulations regarding the security of IoT devices in the manufacturing stage. How do you expect to see the regulatory landscape evolve in the coming years?

While the US recently passed the IoT Cybersecurity Improvement Act, which calls for greater device transparency during the procurement process, there are no sustainable and sufficient standards for device manufacturers to follow, though the liability is on them. 

Inadequate security solutions like static analysis, vulnerability management or basic best practices are still what are most commonly used, but we hope that federal and government agencies will pave a way to a new high security standard for those critical devices.

What’s Hot on Infosecurity Magazine?