A computer generation or two ago, IT managers fought a futile uphill battle to prevent rogue PCs from infiltrating the workplace, a battle fought largely in the name of data security. Their thinking was that if IT couldn’t manage it, they couldn’t secure it. Is history repeating itself with health care IoT devices?

Fast forward to the present health care environment. A new generation of digital devices, some authorized and others not, are flooding into hospitals. These Internet of Things (IoT) devices run the gamut, from highly sophisticated patient telemetry devices to smartphone-controlled outlets that remotely turn lights on or off. These devices two things in common: They are connected via the internet to send and receive data, and they rank among the most insecure digital devices anywhere. As a result, these connected devices should be the main source of concern in hospitals.

Are Health Care IoT Devices Secure?

How vulnerable are some of these health care IoT devices? Consider last year’s highly publicized attack on Dyn, an internet backbone provider. Instead of going directly at their target, the attackers used a piece of malware called Mirai, which automatically discovers IoT devices — in this case, about 100,000 of them. Many were no more sophisticated than security cameras and baby monitors. The fraudsters then essentially lashed these compromised devices into a vast botnet, which was used to launch a successful distributed denial-of-service (DDoS) attack against Dyn, knocking out service for millions.

In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.

Bear in mind that the growth expectation for IoT devices rival that of any other class of digital devices in history. Gartner estimated that the 8.4 billion IoT devices in use this year are up 31 percent over 2016, and said it expects that figure to swell to an astonishing 20.5 billion in 2020. Roughly 60 percent of these devices will be sold to consumers, while the remainder are special purpose business devices. To keep the consumer versions cheap, manufacturers make them with little to no security standards, and they usually arrive with very weak default passwords that few consumers bother to change.

Securing Insecure Devices

Given this unstoppable tsunami of IoT devices, there are several practical steps that health care IT professionals ought to consider in the interests of cybersecurity. First, understand that certain industry-specific groups are taking the lead in trying to assure the security of various technologies, notably IoT devices. In health care, one of the groups is the Health Information Trust Alliance (HITRUST), which developed its Common Security Framework to address the many security, privacy and regulatory hurdles facing health care IT.

Consider establishing formal awareness training for all hospital staff members when it comes to IoT devices and their security ramifications. Most if not all hospitals already undertake security training to help employees ward off phishing attempts and other nefarious cybercriminal activities. With IoT consumer devices that might find their way into the workplace, there is a need to stress their many security weaknesses. Some hospitals may even pursue an outright ban on bringing external IoT devices into the workplace.

It is also worth considering creating an entirely separate subnetwork just for IoT devices. In the event of a security breach, this subnetwork and the devices on it can be effectively isolated from the rest of the network infrastructure, thereby limiting access and damage to other hospital systems. Security and network staffing shortages can make setting up such a subnet challenging, but there are excellent third-party experts capable of handling this for you.

Taking Stock

Finally, and most importantly, a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.

As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.

For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.

Listen to the podcast series: 5 Indisputable Facts about IoT Security

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today