You may have experienced the first coordinated cyber attack using “Internet of Things”, IoT. I bet you are wondering how did it affect me? How did it happen? Did you notice on October 21st that Facebook and LinkedIn were not available? Maybe you noticed that Amazon couldn’t take your order, and email was really slow? This was the result of a DDoS attack, Distributed Denial of Service, which have been going on for years, but this one was different.
Typically, DDoS attacks are the result of a virus or malware infecting many PCs, and then when instructed by the malware’s author, flooding the targeted victim’s web address with thousands of messages. This creates an Internet traffic jam and stops the victim’s ability to communicate via the Internet. This particular attack was on a key Internet asset which acts as the Internet’s address book, and the result was a major Internet disruption on the East Coast. It eventually spread to the West Coast as well.
Where does the “IoT” fit into all this? This DDoS focused on IoT devices to cause the traffic jam. Now you’re wondering, just what is an IoT device? According to the National Institute of Standards (NIST), an IoT device must have sensing, computing, communication, and actuation capabilities. Thus, it has a computer with software programs which enables the other 3 required attributes. It is connected to a network and ultimately the Internet to enable communications with other devices such as your smartphone, and thus the requested data is sent back to you, after sensing that you did close your garage door after leaving for work this morning. Or you can actuate the door locks on your Buick while lying on the sunny tropical beach.
Surely my digital thermostat, baby monitor, VCR, vacuum cleaner, garage door opener, or refrigerator couldn’t be involved in such an evil deed as a DDoS attack? Yes, they can, and maybe they were! All these relatively inexpensive IoT devices have very basic or no Internet security capabilities at all. Most are installed with default passwords which can readily be found via a quick Google search. Thus, they can be readily hacked and re-purposed to do other things. There are numerous instances where digital thermostats have been hacked to access home networks and steal personal information and financial data. Could your thermostat be spying on you when you are logging into your bank account?
Let’s take this up to the next level. What about your business? The healthcare industry, like all others, is seeing a flood of new IoT devices addressing complex issues to reduce workloads and wait times. Whenever you install an IoT device in your practice, take time to consider the potential downsides. Each new device on your network, is another vulnerability. You must evaluate its security capabilities before it is installed. Plus, consider the ability to maintain proper security in the future. Ask yourself,
- Is the password strong enough?
- Can your IT staff or managed services provider support the device?
- How does the company selling the device service it?
- What information is it transmitting?
- Is the data encrypted on the device and during transmission?
These are not easy questions, but essential to help protect your practice’s and your patient’s sensitive data.