A computer generation or two ago, IT managers fought a futile uphill battle to prevent rogue PCs from infiltrating the workplace, a battle fought largely in the name of data security. Their thinking was that if IT couldn’t manage it, they couldn’t secure it. Is history repeating itself with health care IoT devices?

Fast forward to the present health care environment. A new generation of digital devices, some authorized and others not, are flooding into hospitals. These Internet of Things (IoT) devices run the gamut, from highly sophisticated patient telemetry devices to smartphone-controlled outlets that remotely turn lights on or off. These devices two things in common: They are connected via the internet to send and receive data, and they rank among the most insecure digital devices anywhere. As a result, these connected devices should be the main source of concern in hospitals.

Are Health Care IoT Devices Secure?

How vulnerable are some of these health care IoT devices? Consider last year’s highly publicized attack on Dyn, an internet backbone provider. Instead of going directly at their target, the attackers used a piece of malware called Mirai, which automatically discovers IoT devices — in this case, about 100,000 of them. Many were no more sophisticated than security cameras and baby monitors. The fraudsters then essentially lashed these compromised devices into a vast botnet, which was used to launch a successful distributed denial-of-service (DDoS) attack against Dyn, knocking out service for millions.

In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.

Bear in mind that the growth expectation for IoT devices rival that of any other class of digital devices in history. Gartner estimated that the 8.4 billion IoT devices in use this year are up 31 percent over 2016, and said it expects that figure to swell to an astonishing 20.5 billion in 2020. Roughly 60 percent of these devices will be sold to consumers, while the remainder are special purpose business devices. To keep the consumer versions cheap, manufacturers make them with little to no security standards, and they usually arrive with very weak default passwords that few consumers bother to change.

Securing Insecure Devices

Given this unstoppable tsunami of IoT devices, there are several practical steps that health care IT professionals ought to consider in the interests of cybersecurity. First, understand that certain industry-specific groups are taking the lead in trying to assure the security of various technologies, notably IoT devices. In health care, one of the groups is the Health Information Trust Alliance (HITRUST), which developed its Common Security Framework to address the many security, privacy and regulatory hurdles facing health care IT.

Consider establishing formal awareness training for all hospital staff members when it comes to IoT devices and their security ramifications. Most if not all hospitals already undertake security training to help employees ward off phishing attempts and other nefarious cybercriminal activities. With IoT consumer devices that might find their way into the workplace, there is a need to stress their many security weaknesses. Some hospitals may even pursue an outright ban on bringing external IoT devices into the workplace.

It is also worth considering creating an entirely separate subnetwork just for IoT devices. In the event of a security breach, this subnetwork and the devices on it can be effectively isolated from the rest of the network infrastructure, thereby limiting access and damage to other hospital systems. Security and network staffing shortages can make setting up such a subnet challenging, but there are excellent third-party experts capable of handling this for you.

Taking Stock

Finally, and most importantly, a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.

As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.

For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.

Listen to the podcast series: 5 Indisputable Facts about IoT Security

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …