Healthcare Industry May Not Be Prepared For Internet of Things

A recent survey conducted by ZingBox, a Silicon Valley internet security startup, found that more than 90% of healthcare IT networks have Internet of Things (IoT) devices. The survey further found that more than 70% of IT departments believe that current security systems for laptops and servers can also protect connected medical devices.

According to Xu Zou, ZingBox CEO, “Typically you will see 10 to 15 IoT devices per bed in a hospital.” He defines a healthcare IoT device as anything that is portable and connected to the Internet.

This has caused serious problems with medical and other organizations. For example, on May 12, 2017 a ransomware cryptoworm called WannaCry attacked on devices on every continent. An estimated 200,000 computers in 150 countries were infected. The attack included hospitals in England and Scotland and affected up to 70,000 devices, including MRI scanners, blood-storage refrigerators, and theater equipment. Some ambulances were diverted and some non-critical emergencies were turned away.

A more recent global attack occurred on June 27, 2017. Petya (also known as NotPetya), a ransomware cryptovirus, affected largely Ukrainian and Russian hospitals but also hit locations in France, Germany, Italy, Poland, the United Kingdom, and the United States.

In ransomware attacks, malware prevents a user from accessing certain computer records (e.g., patient records). These records are not released until a specified amount is paid to an anonymous recipient. Generally, these types of attacks rely on cryptocurrencies, such as BitCoin. Cryptocurrencies function like paper money, so the transaction is anonymous and difficult to trace.

“Health care has been late to respond to the need for protected information, and the information is worth more,” said Michael Ebert, a partner with KPMG who advised companies on cybersecurity. “It’s amazing how far behind we are, and we know we have to do something.”

Ransomware attacks not only show the vulnerability of hospitals (and healthcare companies generally), but they present a threat to human life. For example, experts have suggested that up to 500,000 children’s medical records are on sale and could be used to compromise the care given to a child.

Ransomware attacks are on the rise. A 2017 Verizon Data Breach analysis found that ransomware attacks rose from the 22nd most common type of malware attack to the 5th most common between 2014 and 2017. “[H]olding files for ransom is fast, low risk and easily monetizable,” wrote the authors. The report noted that 72% of all health care malware attacks in 2016 were ransomware.

Investments into IoT technology is also rising. So far it is at nearly $25 billion and is expected to rise dramatically. Accordingly, the spread of the technology can be expected to increase. Examples within the medical device community include blood pressure and heart rate monitors.

Most of those surveyed by ZingBox may be optimistic about the state of their security. However, the healthcare industry is likely to be more vulnerable in the future as the IoT becomes more ubiquitous.

 

 

Jordan Cox
Jordan Cox is an associate in the Orange County office. His practice includes patent prosecution, patent litigation, and due diligence. He also works with clients to further develop a strategy to create untapped value from existing technologies. Mr. Cox received his J.D. from the Georgetown University Law Center. At Georgetown, Mr. Cox served on the Georgetown Journal of Law & Public Policy. Before coming to law school, Mr. Cox double-majored in Physics and German Studies at Brigham Young University where he graduated with honors. As a Fulbright Scholar, Mr. Cox studied the optical properties of crystals using high-powered pulsed laser and x-ray systems. Mr. Cox worked as a summer associate in 2014 before joining the firm as an associate in 2015.
Click here to read full bio
View all posts published by Jordan Cox »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.