IoT = Internet of Threats! Is Healthcare Prepared?

November 10, 2016

cyber-securityGartner estimates about 6.4 billion Internet of Things (IoT) devices today, such as DVRs, surveillance cameras, and many others, all connected to the Web and all with Internet (IP) addresses. By 2020, it is expected that the number of Web-connected devices will increase to 20.8 billion.

So, why are these numbers relevant to healthcare cyber-security?

An IoT fact is that these devices were not designed or developed with security at their core. Further, these devices are typically not configured securely.

IoT = Internet of Threats!

The focus of this article is to walk through the security challenges associated with IoT devices, which are proliferating healthcare entities. We will examine four key steps that a health-care entity should take to be better positioned to address this area of emerging cyber-risk.

Why the IoT-driven Internet Wobble on October 21 Matters in 2017

7:10 AM EST, Friday, October 21, 2016, witnessed a massive cyber assault on the servers of Dynamic Network Services (DYN). DYN is one of the handful of entities on the Internet that provides vital Domain Name System (DNS) services. The Distributed Denial of Service (DDoS) by hundreds of thousands of IoT devices on Dynamic’s DNS servers made the systems inaccessible to all users. The attacks continued in waves, each targeting a different set of DYN servers.

More than 500,000 IoT devices were earlier compromised by the Mirai malware. It is estimated that just 10% of compromised IoT devices were associated with the cyber-attack. This army of zombie devices compromised by Mirai now formed a botnet army led by cyber-attackers through their command and control servers.

The Internet was starting to wobble on October 21, 2016. Cloud service providers, hosting providers, as well as thousands of businesses were impacted, including Twitter, PayPal, AirBnB, Box, Shopify and others. Amazon quickly recovered, others were not as fortunate.

The healthcare industry must learn from the Internet disruption of October 21.

IoT Malware and Mirai

The IoT devices compromised by the Mirai virus had weak security, including default settings that had not been updated by users. Mirai, is a Japanese word that means “the future.” Mirai represents the future of such malwares that compromise IoT devices for significant disruptions to healthcare operations and the broader Internet.

It is highly likely that 2017 will see more such Mirai-like malwares compromising IoT devices.

Get Started with an IoT Cyber-Security Policy

As the IoT becomes pervasive in healthcare given the explosion of wearable healthcare and fitness devices, sleep monitoring, infant monitoring, brain and neurotechnology sensors and many others, every healthcare organization must develop an IoT cyber-security policy. This policy describes key areas that must be addressed consistently as such IoT devices are deployed within the healthcare enterprise. The policy must raise the level of awareness of what are the various types of IoT devices that may be deployed within the organization.

Security issues associated with IoT devices and requirements for securing such devices must be stated clearly. Processes then need to be implemented within the organization to ensure that IoT devices are not the weak links in an organization’s cyber-security program.

Key Steps for 2017!

As we look ahead to 2017, we are at the dawn of highly targeted and synchronized cyber-attacks that will launch in waves at organizations small and large. Business priorities are guaranteed to be disrupted unless we are much better prepared.

Start with four key cyber-steps:

1. Acquisition of or immediate access to cyber-security skills to lead and manage initiatives with discipline and consistency

2. Raise the cyber-security knowledge bar significantly throughout the enterprise

3. Create a credible enterprise cyber-security plan that establishes the foundation for priorities – and is funded appropriately

4. Conduct a comprehensive and thorough cyber-security risk analysis that includes within it a scope vulnerability assessment targeted at vital assets such as IoT (DVR, surveillance cameras, others) and biomed devices.

IoT raises the priority for cyber-security in healthcare. Tomorrow starts now! Get started to lower business risk from IoT!

Ali Pabrai
Chief Executive, ecfirst

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security+, a cybersecurity and compliance expert, is the chief executive of ecfirst. A highly sought-after professional, he has successfully delivered solutions to U.S. government agencies, IT firms, healthcare systems, legal and other organizations worldwide. He served as an Interim CISO for a health system with 40+ locations in the U.S. He has led numerous engagements worldwide for ISO 27001, PCI DSS, NIST and HIPAA/HITECH security assessments. ecfirst is an approved HITRUST CSF assessor, CI Qualified Security Assessor, and a Konica Minolta partner in the area of cyber security & compliance. Mr. Pabrai has presented passionate briefs to tens of thousands globally, including the U.S., United Kingdom, France, Taiwan, Sinapore, Canada, India, UAE, Africa, Saudi Arabia, Philippines, Japan and other countries. Mr. Pabrai has been featured at conferences including HCCA, ISACA CSX, HIMSS, InfraGard (FBI), ISSA, HIPAA Summit, Google Privacy & Security Summit, Microsoft Tech Summit, Internet World, DCI Expo and dozens of others. He is a proud member of the InfraGard (FBI). You can email your questions or comments to him at or reach him directly at +1.949.528.5224.