Caring About IoT-Security – An Interview Study in the Healthcare Sector

The number of medical IoT devices is increasing rapidly: CT scanners, ECG devices, insulin pumps and other devices, which previously operated independently, are being interconnected with other devices, now sharing patient data and/or uploading them to the cloud. Medical IoT devices can create privacy and security risks for patients, healthcare professionals, and the institutions that deploy them. Previous security research has focused on software vulnerabilities in IoT devices, and how they could be exploited. This study takes a broader security perspective, looking at security issues that arise in the life cycle of IoT devices deployed in healthcare environments. We performed in-depth online interviews lasting over 1 hour (12 hours in total) with n = 8 experts responsible for the security of medical IoT devices in hospitals. They had on average 20 years of industry experience (IT and/or security), and spoke from the experience of either in-hospital specialist, or as external consultants that advise multiple hospitals on IT security. Our findings suggest that medical IoT devices are a security time bomb: the inability to easily patch devices due to certification regulations, the requirements of manufacturers to enable remote maintenance, and the lack of qualified personnel and resources result in low levels of security, even compared to general IT systems in hospitals (which have been found to be vulnerable due to age and lack of security expertise). More encouragingly, most participants reported that awareness of hospital managers & manufacturers of these issues has improved, following new legislation on IT security in hospitals in Germany and the EU over the last two years. We conclude that the security and privacy risks of medical IoT devices is currently underestimated, and that a collaborative effort with manufacturers and primary users (medical staff) will be required to create effective processes for securing them.