Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Justine Bone
Justine Bone
Connect Directly
E-Mail vvv

The Telehealth Attack Surface

Amid the surge in digital healthcare stemming from the coronavirus pandemic, security is taking a backseat to usability.

Telehealth and telemedicine face numerous cyber threats. Currently, healthcare providers, medical device makers, and telehealth platform providers rely on a myriad of regulations and sources of guidance, including HIPAA, the Department of Health and Human Services, and Food and Drug Administration regulations and general cybersecurity best practices to manage these services. However, these regulations do not anticipate the full range of threats that can occur inside the insecure network environment of a patient's home. Additionally, many of these platforms have been deployed quickly during the pandemic and allowed to bypass existing regulations, which further exacerbates the risk environment for these services.

A new federal effort is underway to address this deficiency. The National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) recently began working with leading industry vendors and subject matter experts to undertake a comprehensive analysis of telemedicine services to map out the attack surface, identify the key potential points of failure, and devise new telemedicine cybersecurity standards for the industry to follow. This process is still in the early stages, but once completed it will be an effective road map for healthcare providers and technology developers as telemedicine use expands.

In the meantime, let's examine the key area of risks related to these digital services.

Human Endpoints: Patients and Doctors
Digital healthcare services have a broad attack surface, ranging from the online platforms to the healthcare providers, third-party tools, and services such as cloud storage and VPNs, remotely accessible medical devices, and the patients' own home networks. However, the most likely point of a security breakdown is at the two human endpoints: patients and doctors. In the latter case, many doctors may not be receiving sufficient security training for the telehealth platforms they are expected to use. Basic security measures such as two-factor authentication and session timeouts can be an obstacle or inconvenience, which could lead some medical practitioners to ask the IT department to disable them. Additionally, given the rapid rollout of telehealth during this pandemic, there is a significant possibility that some doctors will use their own personal laptops or cellphones to carry out virtual consults.

On the patient side, the situation is more complex. Many of the current cybersecurity standards upon which healthcare providers rely are best suited for a protected network environment, such as a hospital or medical office. Patient homes are just the opposite. Healthcare providers are sharing sensitive data through an insecure network with multiple users, and with other endpoints that are very susceptible to compromise by malware, including general Internet of Things devices and connected appliances. Unlike remote employees, healthcare providers cannot require patients to take security precautions such as tunneling traffic through a VPN or adding a device firewall. Therefore, telehealth and telemedicine services face a considerable challenge in trying to keep data secure as it travels through this high-risk environment.

Portable Medical Devices
Remote medical devices also pose unique challenges. In addition to operating within an unprotected patient home network, the devices themselves are more vulnerable to attack because they are resource limited and patients have unmonitored, unrestricted physical access to them. Unlike large devices such as MRI machines, the small portable medical devices that end up inside patient homes — such as an insulin pumps or heart monitoring systems — have limited processing power, data storage, and battery life. As a result, cybersecurity solutions that we would otherwise turn to, such as strong authentication and encryption, may not be suitable options for those devices. They may also lack the form factor needed for other basic security steps — such as password protection — as they often lack a display screen and keypad.

Privacy Risk vs. Disruptive Attacks
Cyberattacks on the healthcare industry have been a problem for years but the COVID-19 outbreak has exacerbated many of these risks, particularly when it comes to ransomware. However, despite the fact that these disruptive attacks are increasing, the healthcare industry has remained largely focused on the issue of patient privacy in order to prevent information theft or accidental exposures. The same is also true with telehealth and telemedicine. In the emerging field of digital healthcare, providers are mostly concerned with privacy risks while not fully accounting for other types of attacks such as device ransomware and the deliberate disruption or sabotage of services. Internet-connected medical devices provide a unique attack vector, one that could be exploited to cause significant harm to patients.

Although targeted attacks on patients are certainly possible, they are unlikely. What is more realistic is that criminals will target the back-end infrastructure and third-party technology ecosystems that support telehealth and telemedicine services in order to gain scale and access to large datasets of highly monetizable information. These targets could include telehealth web application servers, third-party support services, back-end servers for remote medical devices, and hospital networks. The increasing number of attacks on consumer-grade Wi-Fi routers could also be used to compromise health services, whether intentionally or unintentionally, by criminal actors.

Next Steps
In the haste to roll out telehealth services, some traditional security processes have been skipped or streamlined in order to reduce the time to market. This has raised the level of risk for these services. It is important for service providers to address these issues by going back and applying security hardening and turning on key security features. Cybersecurity protections like end-to-end encryption, strong access authentication, multifactor authentication, and active monitoring are all essential must-haves. However, these are not always realistic in certain areas of telemedicine, particularly when it comes to the use of smaller Internet-connected medical devices for remote patient monitoring. For these devices, other security measures need to be investigated, including firmware-based defenses and hardware-level safety controls, which can prevent the devices from being forced by an attacker to act in an unsafe manner.

The NCCoE program is a critical first step in defining the full scope of risks and threats related to telehealth services. It will also play an important role in improving patient health and security.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Justine Bone is CEO of MedSec, a cybersecurity company which is exclusively focused on the healthcare industry, including hospitals and medical device manufacturers. MedSec is serving as a subject matter expert for the NCCoE/NIST Securing Telehealth Remote Patient Monitoring ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/18/2020 | 9:57:28 AM
The next frontier?
Interesting article. So much attention on telehealth these days, haven't heard much, yet, about security risks. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.