Saving every heartbeat: How DPI helps secure IoT networks for healthcare

Sebastian Müller portrait

By Sebastian Müller
Published on: 23.02.2021

Reading time: ( words)
Categories: Network security

Out of the 21.7 billion data connections recorded at the end of 2020, 11.7 billion are IoT connections1. The world of data, which was once confined to computing and storage devices, has now expanded to cover household appliances, machinery and even livestock. This increase is present in domestic, industrial and infrastructural settings. Smart homes, smart manufacturing and cutting-edge utility management all involve managing equipment and devices remotely. Propelled by the shift towards automation and the use of artificial intelligence and enhanced by secure online access and control, IoT is reshaping cities, homes and, via industry 4.0, the worldwide production of goods.

However, as any other network riding on the Internet, IoT is susceptible to cyber-threats. Denial-of-service attacks, botnets, man-in-the-middle attacks, identity and data theft, ransomware and advanced persistent threats can wreak havoc on individuals, households and enterprises connected to IoT. These threats may tamper with the end devices, the data carried by these devices, the servers they connect to and, in more complex settings, may infect other devices, appliances and applications on the network. If a set of smart lights, for example, is controlled by a smartphone with banking apps installed or containing emails with personal information, vulnerabilities in the smart light application can be exploited to connect to the network, which will grant attackers access to data on the smartphone. Given that the security for IoT networks, applications and end nodes is still at a very nascent stage, these vulnerabilities are set to be exacerbated as new objects are added to the network every day.

Cyber-threats in healthcare IoT

IoT applications in the healthcare sector are seeing a particularly increased exposure to cyber-threats given the rapid expansion of the sector especially in light of the COVID-19 pandemic. Remote health monitoring, remote consultations, data assortment, smart hospitals, robotic assistance and remote surgeries are some of the active areas of innovation and uptake in healthcare IoT. In 2020, more than one billion ‘visits’ to the doctor took place remotely2 and it is expected that by 2025, the global healthcare IoT market will rise to USD 188.2 billion in revenue compared to USD 72.5 billion in 2020.

The fact that IoT applications and devices in healthcare record, store and transmit highly confidential and sensitive data relating to a person’s health history, treatments and medical dependencies as well as an organization’s medical supplies, operational data and communications makes them an attractive target for cyber criminals and threat actors. The kind of data involved harbors potential to resell them, to bring the system under siege to extort ransom or to destroy parts of the data to bring about politically or rivalry-motivated chaos and instability.

IoT devices lacking relevant data protocols and standards are easy targets for cyber-attacks. This risk is indefinitely higher with legacy equipment that cannot be or is not updated to present security standards. If a medical organization lacks network segmentation and access control, a single device entry point can yield access to all of an organization’s information. The security and confidentiality of medical records can be breached and insurance information can be exploited for fraudulent claims. Even worse, malicious actors can target specific departments or patients. This can take place either indirectly by impairing the speed or latency of a network which impacts critical applications such as on-going remote surgeries or directly, for example by altering the injection quantity given remotely through a smart device to lethally attack a patient.

The threat is real

These scenarios are not just hypothetical. As a prominent example, the 2017 WannaCry ransomware attack paralyzed the UK’s National Health Service, affecting possibly 70,000 devices including MRI scanners and blood-storage fridges4. As medicine becomes smarter, i.e., as more devices and applications are connected to the Internet, the risk will only increase. The average healthcare breach costs more than USD 7 million, a number that continues to rise5.

To circumvent this, it is necessary for IoT healthcare systems to be monitored end-to-end. This starts with the user experience on healthcare self-help apps. It extends from there to the medical end devices, such as MRI scanners. These devices connect to LP-WAN, which comprises cellular networks such as mMTC, LTE-m and NB-IoT or non-cellular networks such as LoRaWAN and Sigfox. These networks connect to the IoT cloud or the server hardware and software where applications are run and data is stored, which also need to be monitored. Essentially, the entire IoT stack, from sensors and actuators to various data networks and the cloud, must be adequately secured.

DPI and healthcare

Our OEM deep packet inspection (DPI) engine R&S®PACE 2 comes with a vast library of traffic signatures, kept up to date with weekly updates. These frequent updates help filter IP traffic by classifying thousands of even the latest applications and protocols and extracting metadata in real time – all in spite of advanced obfuscation and encryption. When embedded into healthcare security applications, it helps to detect anomalies and suspicious behavior on the network. For example, if a hacker finds that a particular end device is vulnerable and wants to infiltrate it with malware, sending the malware to that device becomes impossible if its entry into the network sets off an alert. Similarly, with the DNS protocol classification feature from R&S®PACE 2, malicious activity caused by DNS tunneling is identified in real time. This curtails the transmission of malware and data infiltration for which DNS tunneling is often used and which is typically undetected by traditional firewalls and IDS/IPS.

The Health Level 7 (HL7) set of international standards, which adjudicate how medical data, clinical and administrative, is transferred between applications across the healthcare system, may be of particular interest to healthcare organizations. Currently, best practices are difficult with HL7, which is vulnerable to the kinds of IoT cyberattacks described above6. However, DPI can make a difference here, as it holds a magnifying glass to the data being transferred between applications, making it possible to see closely whether and when certain specifications are not being met. The same applies to Digital Imaging and Communications in Medicine (DICOM), which is a parallel standard for the communication of medical imagery. Our DPI engine is able to identify traffic from non-encrypted, partly and fully encrypted DICOM images, enabling hospitals and healthcare networks to ensure the security of their hospital and healthcare networks and database against malware, specifically encrypted malware.

If there is an area where close inspection of data being sent over a network is necessary, it is in medicine. IoT security breaches in the healthcare realm can be a matter of life and death. Luckily, DPI capabilities can go a long way to place the odds in favor of life rather than death. As healthcare, its equipment and its services come to involve more devices that can compute and communicate on their own, the need for better cybersecurity becomes ubiquitous – and so does DPI.


1) State of the IoT 2020: 12 billion IoT connections, surpassing non-IoT for the first time - IoT Analytics - Nov. 2020 -

2) US Virtual Care Visits To Soar To More Than 1 Billion - Forrester - 2020 -

3) IoT in Healthcare Market by Component, Application, End User, and Region - Global Forecast to 2025 - Markets and Markets - June 2020 -

4) Cyber-attack guides promoted on YouTube - The Times - May 2017 -

5) IBM Report: Compromised Employee Accounts Led to Most Expensive Data Breaches Over Past Year - IBM - July 2020 -

6) HL7 Data Interfaces in Medical Environments: Understanding the Fundamental Flaw in Healthcare’ - SANS Institute - Sept 2017 -

    Sebastian Müller portrait

    Sebastian Müller

    Contact me on LinkedIn

    Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.


    Related material

    ipoque blog - discover the latest news and trends in IP network analytics

    Sign up for our newsletter

    Stay informed about the latest news and insights from ipoque