The universe of objects interconnected via the Internet compose what is called the "Internet of Things" or "IoT." It is difficult to overestimate the impact of this burgeoning digital ecosystem. Gartner, Inc. estimates that 8.4 billion devices are connected in 2017, up 31% from 2016. By 2020, there will be 20.4 billion interconnected devices. It is estimated that over half of all new major business processes will use these IoT devices by 2020. This growth in scope and scale is staggering, and consumer products are the biggest driver of this phenomenon.
Each IoT device includes a small computer, which is vulnerable to a cybersecurity attack just like any other computer. Following are some common ways that the IoT contributes to cyber insecurity and ways that patients and providers can help improve security when dealing with IoT devices.
Expansion of Attack Vectors
"Attack vectors" are the avenues or pathways used by criminals to try to attack computers and computer systems. When IoT devices are added to a computer network, the criminals are given new avenues to attack. Internet-connected medical devices are especially at risk. For example, consider a situation where a diabetic patient receives a blood glucose meter (glucometer) that connects to the Internet. This connection provides tremendous benefits by allowing caregivers to monitor the patient's glucose levels in real time. However, a criminal could use that same connection to gain access to, and attack, other computers. The attacked computer could be a caregiver's computer at the hospital that interacts with the patient's glucometer or it could be another IoT device. Either way, malware is spread, and the cyber environment becomes less secure. The same type of attack can take place against all types of IoT devices, such as a closed-circuit television or even an innovative, new smart refrigerator.
What Can You Do?
One of the most important things you can do to strengthen cybersecurity in the IoT is to change the password of IoT devices as soon as it is implemented. Many of the IoT items you obtain will have a default password – a password that has been set at the factory. Those passwords are readily available on the Internet, so they do not protect the IoT item from unauthorized access. Change the password to a complex one that only you know. A complex password uses upper and lower case letters, numbers and special characters and does not include any words that can be found in any dictionary. If you need to, write it down – just don't keep your written reminder stuck to the device!
Expansion of the Attack Surface
The "attack surface" is the sum of all the attack vectors in a computer system. When you have a number of connected devices, your attack surface gets much larger. As your home and medical devices become increasingly connected, your attack surface is enlarging exponentially. This is creating a huge cybersecurity risk on two fronts: first, the risk of being hacked; and second, the development of botnets, which can be used for distributed denial of service ("DDoS") attacks and other criminal activities.
What Can You Do?
For IoT devices that do not need to remain powered on and connected to the Internet at all times, turn them off and ensure that they are disconnected from the Internet when they are not in use. Devices that are powered down and disconnected from the network are not available to be compromised; thus, the attack surface is smaller.
Contributing to Organized Crime
In many cases, organized crime is behind cyberattacks. One method used is to compromise hundreds or thousands of computers to act as "slaves" or "robots" subject to the commands of a master computer controlled by the criminals. This networks of enslaved computers, or "botnets," are then used to spread malware, spam or perpetuate DDoS attacks. In DDoS attacks, a botnet is used to flood a target computer system with requests, making it unable to respond to legitimate users' requests for digital services (e.g., making a purchase from a website run from the targeted computer system). This is not a problem existing only in theory – a recent botnet composed of IoT devices was able to bring down several major web-based companies through a DDoS attack in September 2016 – and the problem is expected to only get worse.
What Can You Do?
Smart firewalls are being developed that can identify infected IoT devices, and certain programs will scan for different types of malware, such as Mirai infections. When evaluating new IoT device purchases, determine whether the device has been developed using "security by design." Security by design principles take cybersecurity into account when designing the product, and the Food and Drug Administration has made it clear that medical devices should be developed with cybersecurity in mind. Good cyber hygiene is as important in health care as handwashing is. Awareness of recent cyberattacks and means of protecting against similar future attacks should be monitored for both professional and personal devices.
Financial, Emotional and Even Physical Vulnerability
Some IoT devices have the ability to monitor your activities, either intentionally or incidentally. Depending on what data is collected and how that data is used, this could benefit or harm you. For example, a smart television enables you to access Internet-based entertainment and chat with distant friends and family via webcam, but it could also be used to listen in on your sensitive living room conversations. Similarly, while your smart home devices allow you to monitor and control certain features within your house, they could also reveal when you are (or aren't) home. This information could be exploited by criminals to commit physical, financial or emotional crimes. Some connectedness is beneficial, but there need to be limits on how data is collected and used.
Finally, once possible only in exaggerated television crime dramas, the potential for a hacker to take control of an IoT device in order to cause physical harm to its user has become a reality. The Food and Drug Administration released information in late 2016 about a correction to a vulnerability that would have allowed hackers to send modified commands to patients' pacemakers. Hacks affecting glucometers and insulin pumps have also been demonstrated. Now, reportedly, a briefing at the upcoming Black Hat USA 2017 event will reportedly demonstrate a hack that causes an IoT device itself to physically attack a person. These possibilities are downright scary.
What Can You Do?
This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact:
· Your regular Hall Render attorney.
Melissa Markey and Stephen Grothouse are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest health care-focused law firm in the country. Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.