result, it has a very unique place within the arena of connected medical devices. Some of the applications of NFC include logical access to medical information, Intelligent ID bracelets, tagging of medications, physical access, and so on.28 The tagged ID bracelets and other such items do not store medical information. That reduces the risk considerably, which is a good thing because there is no authentication within NFC. The risks concerning NFC generally are around two devices in active mode—where information can be transferred. For many uses, NFC is typically in passive mode for tagging purposes. While it is a huge help for hospitals, from a connected medical device perspective, the risks tend to be lower, but not zero. For example, in 2019, Android devices had an NFC vulnerability that exposed the devices to malware attacks and, worse, privilege escalation (which means anyone can do almost anything to the device).29 In most settings this is not a huge risk, but if you had a device that uses NFC, that could be a risk to all the other systems the device was connected to. In some environments, this includes protected health information.
Wired Connections
Wired networks have a very different security concerns than wireless networks, generally speaking. People can use devices to snoop wireless traffic, pretend to be an access point you would want to connect to in a local coffee shop, and so on. Wired networks, from a healthcare perspective, are generally where there is an aggregation of devices—where all the IoMT devices are located. Wireless networks are also where some of the other more breached systems are located. There are a host of problems related to wired networks, which will be discussed in Chapter 10, “Network Infrastructure and IoMT.”
The Cloud
Twenty years ago, most companies had their own electronic infrastructure to store, process, and transmit information. They had independent servers that had a one-to-one relationship to the operating system. Later, virtualized operating systems hit the scene, so many servers could be on one system. Now, due to business advantages, many companies utilize cloud services for the same purpose. In the cloud, systems are divided virtually and logically in cloud environments. The economics of scale within the cloud make a great deal of sense for many companies due to a principle known as elasticity. This means that systems can spin up and down both servers and can add and/or remove compute power to meet immediate demands. While traditional systems have virtualization technology, what most virtualization technology accomplishes is the ease of scalability. Traditional systems have to purchase the computing power, storage, and memory maximum that are required. With the cloud, these maximums do not need to be purchased. In the end, for companies who need this kind of elasticity, the cloud makes perfect sense. Cloud has proven a lifesaver for companies that have had to shut down or reduce their footprint due to COVID-19. They don't have expensive equipment to power, thus saving money that is not possible with traditional infrastructure. They do not have to pay for processing power—only storage for keeping their virtualized systems powered down, which is a huge cost savings.
For the IoMT, the cloud is a very critical component because for some companies the growing ubiquity means that companies will need to grow as their devices grow. While there are a range of technologies that aid or support connectivity, the cloud is one of the key technologies. That being said, cloud technologies come with their own types of unique risks. Mature companies have the issues related to those risks mostly accounted for, but smaller companies are not always as adept at understanding or compensating for those risks. For example, where companies had traditional physical security to keep track of, a cloud provider takes full responsibility for that security.
Some of the differences that take some getting used to for many companies are cloud native capabilities. For example, years ago, traditional systems used a database. Think of a database as a giant electronic repository of data. It is more complex than that, but it is sufficient for this discussion. Today, a separate database does not need to be purchased. Many cloud systems have databases built into the infrastructure. We refer to those as cloud native systems. The challenge for companies is that there is a learning curve when it comes to cloud native systems. Let's take the example of the S3 bucket, which is a cloud native database within Amazon Web Services (AWS). (I almost wish I had kept track of the number of organizations—both government and corporate—that have been hacked as a result of a misconfigured S3 bucket.) It is a very common occurrence despite the fact that AWS has increased the security and brought to the attention of others the dangers related to it and has educational information on how to configure the S3 bucket securely. One of the proverbial sins of IT is to make sure that a system works, but not to make sure that the system is secure. If everyone on the internet can access the system, it is probably working from an IT perspective—often the administrator not realizing they just opened the database to hackers as well. This is not just a problem of small companies; some of the major breaches that have hit the news are related to S3 bucket security. Examples include such prominent names as Uber, Accenture, and even the United States Department of Defense.30 While there is a much deeper dive that can be had related to this specific topic, suffice it to say that cloud native technology has its challenges, and not all companies are equally up to those challenges.
The reason this is important to consider is that companies often store the information related to the connected medical devices in those buckets—often without the knowledge of the end users of those systems. All a physician cares about is ensuring their system works properly when they need it to. They are operating under the assumption the host company is doing the security properly.
Many of you may be thinking that the problem has to be resolved soon. The reality is the problem does not appear to be going away. In August 2020, Truffle Security reported that they uncovered thousands of leaky S3 buckets in AWS that are accessible to anyone on the internet without authentication.31 To make matters worse, they believe that these open buckets are “wormable.” This means that software could be written so that one bucket leads to another, magnifying the impact of a leak. With all of these leaks, it is only a matter of time before ransomware based on misconfigured S3 buckets will become a new norm. Already the proof of concept has been created.32
While AWS is the focus of this discussion, most of the major cloud providers have their own versions of the AWS S3 buckets. Since AWS is the largest player in the market (and one of the most mature of the cloud players), it is used by many and thus these issues are more prevalent. As the other cloud providers become more prevalent, these issues will pop up. There are numerous articles about some of their competitors.
A few of the more astute readers have probably noted that this chapter has not touched on the most obvious aspect of databases—encryption. A foundational requirement in information security is to encrypt data. HyTrust performed a survey of companies moving to the cloud. The survey uncovered that 25% of healthcare organizations are not encrypting data in the cloud.33 What has not been specified is if this is related to cloud native databases or installed, non-native databases. Either way, it is a very serious issue and points to lack of due diligence and/or due care in organizations.
Another cloud native technology that is a challenge for some businesses is the portal to the clouds themselves. Think of that portal as an administrative gateway that provides full access to one or more virtual data centers. That access includes all cloud native infrastructure, and now, quite often, virtual computers used by everyday corporate employees.
So far, though, I have not touched on a branch of the cloud known as Software-as-a-Service (SaaS). Instead of needing to build your own tools in the cloud, services are available to do
