IoT is a network of interconnected devices that communicate and exchange data with each other over the internet, without requiring human intervention. Threat actors often use it due to the automated nature of IoT systems and the access it provides to large portions of the organization's network and therefore its protected health information (PHI).
What is IoT?
Internet of Things (IoT) software is a necessary part of managing a wide array of connected medical devices and sensors like wearable devices, smart thermometers, remote monitoring devices, and even connected surgical instruments. A white paper published in Freescale and ARM stipulates that “The IoT is being defined as smart machines interacting and communicating with other machines, objects, environments, and infrastructures, resulting in volumes of data generated and processing of that data into useful actions that can 'command and control' things and make life much easier for human beings.”
These devices collect real-time patient data, which is then transmitted through secure networks to healthcare providers for analysis. The IoT software processes this data, often using cloud-based platforms to store, analyze, and share it with relevant stakeholders like doctors or medical teams so that more informed decisions are made.
Why are IoT’s targeted by threat actors?
Threat actors often exploit the inherent weaknesses in IoT devices like weak passwords, outdated software, and lack of encryption. This makes this possible because traditional IT systems and IoT devices frequently lack the same level of security measures commonly used to secure data. The vulnerability worsens because many IoT devices are often deployed without comprehensive oversight or proper risk management protocols.
Many devices store or interact with PHI which is a valuable resource to threat actors. Attackers can use these devices for malicious purposes like data theft, identity theft, and launching large-scale attacks like distributed denial of service (DDoS) attacks. These attacks can then access larger portions of organizational data than simply leveraging an attack against a single email account or accessing the organization's devices.
How is the data exploited from IoT’s used?
When a healthcare organization experiences a data breach, this data is then used in ways that provide the threat actor the most profit or gain. With PHI consisting of extensive and extremely sensitive data, threat actors can sell this information on the black market while leveraging the threat of distribution against healthcare organizations for ransom.
On the black market patient data can be used in various ways, each detrimental to patients in different ways. These can take the forms of stolen identities, blackmail, or unauthorized prescription collections.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is PHI?
Protected health information is any information related to a person’s health status, care, or payment for healthcare that could be linked to an individual.
What is the Security Rule?
The Security Rule is part of HIPAA that focuses on protecting electronic PHI (ePHI) setting the standard for how healthcare organizations must protect digital health information.
What are threat actors?
Threat actors are people or groups who try to harm an organization’s systems, steal information, or disrupt operations.
Kirsten Peremore
