With about five billion IoT devices connected today, with growth expected to reach 25 to 38 billion over the next five years it's clear something needs to be done to arrest the threat of billions of devices being recruited for nefarious purposes.
One of the areas where IoT devices are particularly prevalent is the health sector. LogRhythm's Vice President and General Manager for the APJ region, Bill Taylor-Mountford says there are some very old and vulnerable systems running in hospitals. Many are running unpatched versions of Windows XP and are operating automated systems for the injection of medicines and other critical functions.
Taylor-Mountford says it might be true that in some cases those systems are air-gapped but his observation is that only are small proportion fall into that category.
"Most hospitals are quite exposed", he says.
This covers payment systems, medical records systems and other IP-connected devices he adds.
Those devices have been operating for quite some time. I asked Taylor-Mountford why there was a sudden interest in these devices, particularly in the health sector.
"I think it's the accessibility. The hacking community, the threat actors who retrieve information have gotten a lot smarter, more sophisticated and are targeting attacks. If you think about ransomware, we did get it 15 years ago and other types of malware but they were generally spoiler, defacing websites. What we're seeing now is a lot less of that and more serious attacks".
Taylor-Mountford says the medical sector is such a rich treasure trove of personal data that it is proving to be an irresistible target for threat actors. This is because that data does have commercial value.
"You've got the opportunity to look for someone specifically to embarrass them or to make health information public such as a politician. By making the information public you could create a rift or a change in government policy or even force a change of government".
So, while the data or ordinary citizens might be taken, that is a by-product of the real target – the health information of a public figure.
That helps to determine the likely threat actors. With nation states and criminal gangs the most likely to benefit from the theft of personal health data, it's unlikely the adversaries will be hacktivists or private individuals. This means the sophistication of the attackers is likely to be quite high.
By linking the health information with other stolen data such as credit card data it becomes possible to "productise" the data for sale. This data can be used in all sorts of ways. Taylor-Mountford even made the point a journalist could buy the data to identify a cancer cluster linked to a specific region people live in or their workplace.
For example, data from the Target hack of 2013, the hack at Ashley Madison and theft from American health insurer ANTHEM could be aggregated to create some very personal data that could be used for all sorts of purposes from blackmail to creating false identities.
"They can complete a puzzle. They’ve got this database. They can squeeze the financial bits out of it. The personnel bits out of it. The nation-state bits out of it. The health bits out of it. They productise it and get the most use out of it".
This 2016 HIPAA study provides additional information about the shifts of compliance and training over the past three years.