The healthcare industry has embraced the Internet of Things (IoT), and for good reason. These networks of interconnected devices enable remote patient monitoring, seamless electronic health record (EHR) transfers and faster hospital resource management. Despite these benefits, the IoT also presents new risks.
As more organizations adopt the Internet of Medical Things (IoMT), their cybersecurity strategies must adapt. IoT risks are significant, but other new technologies — namely, blockchain — offer security solutions.
Why Healthcare Needs Better IoT Security
Healthcare businesses that want to experience the IoT’s benefits to the fullest must protect it. That starts with recognizing why this technology’s security, or lack thereof, impacts the industry.
IoT Endpoints Are Growing. The growth of IoMT systems alone warrants further attention. Experts predict over 70 million people in the United States will use remote patient monitoring systems by 2025, and that’s just one branch of the IoMT. 1
Since the onset of the COVID-19 pandemic, it’s become clear that hospital management must improve. The adoption of telehealth services skyrocketed around the same time. These factors have led to a proliferation of IoT devices in the industry, a trend that will only increase as the benefits become more well-known throughout the sector.
Such a significant rise should be cause for concern with any technology. This surge means hospitals now have far more endpoints to secure. In many cases, IoT adoption is also outpacing security growth, leaving organizations increasingly vulnerable to attack. The IoT’s interconnected nature also means these rapidly expanding networks give hackers more potential entry points to access sensitive data.
The IoT Is Vulnerable. Healthcare organizations must also recognize that the IoT is inherently vulnerable. Any endpoint, Internet-connected or not, is a potential risk because it’s one more thing to secure. However, IoT devices present more danger than most devices.
IoT devices often feature minimal built-in protections. A hacker could break into an easy-to-access gadget and move effortlessly from that endpoint to one with more sensitive information. This threat — called lateral movement — means the IoT’s weaknesses jeopardize the entire network without additional security measures.
Making matters worse is the fact that many of these devices don’t hold mission-critical data themselves, so they’re easy to overlook. The IoMT’s novelty also means hospitals may be unaware of these risks.
These threats are more than theoretical, too. Studies have found that companies with more connected IoMT devices are likelier to experience multiple cyberattacks in a year. 2
Healthcare Faces Unique Risks. The IoT’s security shortcomings affect any industry relying on this technology, but healthcare faces more risks than most. This unique challenge stems largely from its status as a favorite target for cybercriminals.
Healthcare is the third most-attacked industry and saw the biggest increase in cyberattacks in 2022. 3 This sector is a prime target because of its large amounts of highly sensitive information. Growing attack surfaces through the IoMT make it even more of a target. The threat of regulatory fines for breached data may also make medical organizations more likely to pay ransoms, enticing more ransomware attacks.
Healthcare hasn’t always been such a target, unlike other high-profile industries like government or finance. Consequently, many medical workers lack security experience, making user error more likely. The industry hasn’t done much to correct that trend, with 42 percent of healthcare organizations not training their employees in security best practices. 4
It’s also worth noting that attacks in this industry are more impactful. Tighter regulations aside, loss of service in medical devices could affect patient health.
How Blockchain Can Help. Given these substantial risks, IoMT security must improve. Comprehensive security is a multifaceted endeavor, but blockchain technology deserves special attention.
A blockchain is a distributed digital ledger where the records — called blocks — are visible to any authorized user but nearly impossible to change. These networks’ distributed nature means an attacker would have to take control of over half of its devices simultaneously to affect the blockchain.
This security and transparency provide an ideal structure for transmitting EHRs and other medical data between IoMT devices. Block’s cryptographic protections make transfers more secure than conventional encryption, and their immutability prevents tampering and fraud from outside actors. Blockchains distribution removes single points of failure for added reliability.
Patients could also see exactly who and what can access their records, thanks to blockchain’s visibility. This insight lets them make more informed decisions about their privacy. They could revoke access where desired, as in line with HIPAA, and approach telehealth systems with confidence. Similarly, medical blockchains enable faster, more accurate regulatory audits.
Medical organizations could also use blockchain tracking in their IoT supply chains. This approach would let them verify where their IoMT endpoints and components come from. They could then hold providers to higher standards and ensure that they only use secure devices. Supply chain attacks impacted 40 percent more people than malware in 2022, so this protection is becoming increasingly crucial. 5
Best Practices for Improving IoT Security with Blockchain
While these potential benefits are impressive, it’s important to remember that blockchain and IoT are only tools. How effective they are depends on their usage, so healthcare organizations should keep several things in mind when implementing them.
Ensure That Sensitive Data Remains Private. One of the most important steps is to keep IoMT blockchains private. Transparency is great for audits and patient trust, but medical businesses must also consider data privacy in light of regulations like HIPAA.
The key is ensuring that the visible parts of a block don’t disclose any real-world patient data. Financial blockchains have already exemplified how to do this. While the blockchain wallets involved in each crypto sale and the transaction amount are visible, the real-world people and accounts they represent remain anonymous.
Early experiments have shown how to apply this practice to a healthcare context. 6 First, medical blockchains replace patient names with a unique, anonymous identifier known only to authorized physicians. Next, they encrypt all EHR data and display only the resulting hash as a unique identifier. These steps make it easy to pinpoint specific records but keep the details private.
Use Smart Contracts for Access Control. IoMT blockchains must also be able to verify users’ identities. Restricting data access to authorized parties is only effective when the system can accurately determine if people are who they say they are. Smart contracts are the solution.
A smart contract is a blockchain feature that automatically triggers an action after certain conditions are met. In an IoMT context, these protections should work with the encryption and hashing technique. EHRs remain visible as only a hash until a user or device verifies their identity, at which point the smart contract decrypts it so they can see and use the specifics.
These verification methods must be more secure than a simple username and password. Just 25 percent of people adhere to strong password management practices, and these credentials are relatively easy to break past. 7 Organizations should use private cryptographic keys to authenticate IoMT devices and multifactor authentication (MFA) to verify users.
Consider Blockchain’s Power Consumption. Medical organizations implementing blockchain security systems must also consider their IT infrastructure and its limits. Blockchains consume considerable amounts of energy, which could be an issue for facilities with limited hardware or those running lots of power-hungry equipment. Without sufficient power, running a blockchain could lead to costly outages.
One possible solution is to use proof-of-stake (PoS) blockchains instead of the conventional proof-of-work (PoW) alternatives. They authenticate transactions by staking resources instead of relying on complex mathematical equations, resulting in far lower CPU power usage. In a testament to this technology, the Ethereum blockchain decreased its energy consumption by 99.9 percent after switching to a PoS system. 8
Hospitals must also review their network resources before implementing blockchains. Organizations should consult blockchain experts to ensure these processing-heavy networks won’t take too much of the system’s capacity.
Go Beyond Blockchain Protections. Healthcare organizations must recognize that blockchain is not a complete security solution. As helpful as it is, it doesn’t address all IoT-related risks, so additional controls are still necessary.
One of the most important secondary steps is to segment networks. Medical facilities should host IoMT devices on their own systems, apart from all others. That way, they limit lateral movement and ensure one breach doesn’t jeopardize all resources.
Training employees in security best practices — including strong password management and how to spot phishing attempts — is also crucial. AI-powered continuous monitoring solutions are ideal since they enable faster responses to potential attacks. Hospitals could theoretically also monitor networks manually, but few organizations have the necessary staff, and AI is more reliable.
New Technologies Present Risks and Opportunities
The IoT unlocks new healthcare possibilities but also introduces security and privacy issues. Businesses in this industry that want to capitalize on this potential must rethink their cybersecurity approach.
Blockchain security may be an important step in these new strategies. Organizations that recognize the risks they face and implement these innovations effectively can embrace the digital revolution safely. Digitization may quickly lead to dangerous and life-threatening risks without a new, tech-centric security approach.
References
- A. Meola, “IoT Healthcare in 2023: Companies, medical devices, and use cases,” Insider Intelligence, January 2023.
- Z. Capers, “More Healthcare Devices Means More Cyberattacks — How Weak Medical IoT Security Threatens Patient Care,” Capterra, November 2022.
- “Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks,” Check Point Research, January 2023.
- “Cybersecurity Risks for Remote Teams and How to Avoid Them,” G-P, March 2022.
- “ITRC Annual Data Breach Report,” Identity Theft Resource Center, January 2023.
- K. Azberg et al., “BlockMedCare: A healthcare system based on IoT, Blockchain and IPFS for data management security,“ Egyptian Informatics Journal, July 2022.
- “Password Management Report: Unifying Perception with Reality,” Keeper Security, January 2023.
- “Ethereum’s energy expenditure,” Ethereum, August 2023.
This article was written by Zachary Amos, a technical writer based in Mechanicsburg, PA. Contact: