Safely Disposing of the Needle in the Haystack: Managing the Cyber Risks of Healthcare IoT

During the early months of the Covid-19 outbreak, healthcare professionals were overworked and under-supplied. Governments were in chaos and squabbling over even the simplest of safety measures. Frontline facilities overflowed with terrified patients.

A nurse adjusts a face mask she’s been wearing for days. The message “smile for me” that she scribbled on in marker, is now as faded and hollow in message, as she feels in her ability to help the sick. She leans against a wall and checks her phone, hoping for a message from her family. She’s too afraid to go home in case she spreads the disease to her children, so she sleeps in the staff break room, along with her colleagues. Text messages are the only tether she has to hope.

An email pops into her mailbox. The subject line reads: “ALL STAFF: CORONAVIRUS AWARENESS”. The message notifies all medical personnel of facility wide online seminars to discuss new treatment measures and safety requirements. Exhausted, she clicks the link and registers for a seminar and thinks nothing more of another pointless bureaucratic task completed.

In the hours that follow, criminals use her credentials to access patient record systems, medical imaging suites and even internet-connected patient telemetry and treatment devices. By morning, every system critical to patient care is locked down with ransomware. The hospital is rendered useless. As administrators work to relocate patients to equally overloaded hospitals, medical staff resort to 1950’s paper-and-pen communication methods, slowing patient care by minutes and even hours. Those lost ticks of the clock, cost the lives of several patients with pre-existing heart conditions. This has actually happened in a hospital shuttered after a coronavirus-themed attack.

Join Mark Sangster from eSentire and the author as they discuss the cybersecurity risks of Healthcare IoT on the CyberSec Decoded Podcast.

Listen to the podcast below: 



Listen to more CyberSec Decoded podcasts 


Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.