Gutfleisch, Marco;
Schoeps, Markus;
Hielscher, Jonas;
Cheney, Mary;
Sayin, Sibel;
Schuhmacher, Nathalie;
Mohamad, Ali;
(2022)
Caring About IoT-Security – An Interview Study in the Healthcare Sector.
In:
EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable Security.
(pp. pp. 202-215).
ACM
Preview |
Text
Sasse_3549015.3554209.pdf Download (1MB) | Preview |
Abstract
The number of medical IoT devices is increasing rapidly: CT scanners, ECG devices, insulin pumps and other devices, which previously operated independently, are being interconnected with other devices, now sharing patient data and/or uploading them to the cloud. Medical IoT devices can create privacy and security risks for patients, healthcare professionals, and the institutions that deploy them. Previous security research has focused on software vulnerabilities in IoT devices, and how they could be exploited. This study takes a broader security perspective, looking at security issues that arise in the life cycle of IoT devices deployed in healthcare environments. We performed in-depth online interviews lasting over 1 hour (12 hours in total) with n = 8 experts responsible for the security of medical IoT devices in hospitals. They had on average 20 years of industry experience (IT and/or security), and spoke from the experience of either in-hospital specialist, or as external consultants that advise multiple hospitals on IT security. Our findings suggest that medical IoT devices are a security time bomb: the inability to easily patch devices due to certification regulations, the requirements of manufacturers to enable remote maintenance, and the lack of qualified personnel and resources result in low levels of security, even compared to general IT systems in hospitals (which have been found to be vulnerable due to age and lack of security expertise). More encouragingly, most participants reported that awareness of hospital managers & manufacturers of these issues has improved, following new legislation on IT security in hospitals in Germany and the EU over the last two years. We conclude that the security and privacy risks of medical IoT devices is currently underestimated, and that a collaborative effort with manufacturers and primary users (medical staff) will be required to create effective processes for securing them.
| Type: | Proceedings paper |
|---|---|
| Title: | Caring About IoT-Security – An Interview Study in the Healthcare Sector |
| Event: | European Symposium on Usable Security (EuroUSEC) |
| Location: | GERMANY, IT Univ Copenhagen, Karlsruhe |
| Dates: | 29 Sep 2022 - 30 Sep 2022 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1145/3549015.3554209 |
| Publisher version: | http://dx.doi.org/10.1145/3549015.3554209 |
| Language: | English |
| Additional information: | Copyright © 2022 Owner/Author. This work is licensed under a Creative Commons Attribution International 4.0 License. |
| Keywords: | Healthcare IT Security, Human-Centred Security, Interview Study, IoT Security |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10193987 |
Loading...
Loading...Loading...Loading...Archive Staff Only
 |
View Item |
