A computer generation or two ago, IT managers fought a futile uphill battle to prevent rogue PCs from infiltrating the workplace, a battle fought largely in the name of data security. Their thinking was that if IT couldn’t manage it, they couldn’t secure it. Is history repeating itself with health care IoT devices?

Fast forward to the present health care environment. A new generation of digital devices, some authorized and others not, are flooding into hospitals. These Internet of Things (IoT) devices run the gamut, from highly sophisticated patient telemetry devices to smartphone-controlled outlets that remotely turn lights on or off. These devices two things in common: They are connected via the internet to send and receive data, and they rank among the most insecure digital devices anywhere. As a result, these connected devices should be the main source of concern in hospitals.

Are Health Care IoT Devices Secure?

How vulnerable are some of these health care IoT devices? Consider last year’s highly publicized attack on Dyn, an internet backbone provider. Instead of going directly at their target, the attackers used a piece of malware called Mirai, which automatically discovers IoT devices — in this case, about 100,000 of them. Many were no more sophisticated than security cameras and baby monitors. The fraudsters then essentially lashed these compromised devices into a vast botnet, which was used to launch a successful distributed denial-of-service (DDoS) attack against Dyn, knocking out service for millions.

In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.

Bear in mind that the growth expectation for IoT devices rival that of any other class of digital devices in history. Gartner estimated that the 8.4 billion IoT devices in use this year are up 31 percent over 2016, and said it expects that figure to swell to an astonishing 20.5 billion in 2020. Roughly 60 percent of these devices will be sold to consumers, while the remainder are special purpose business devices. To keep the consumer versions cheap, manufacturers make them with little to no security standards, and they usually arrive with very weak default passwords that few consumers bother to change.

Securing Insecure Devices

Given this unstoppable tsunami of IoT devices, there are several practical steps that health care IT professionals ought to consider in the interests of cybersecurity. First, understand that certain industry-specific groups are taking the lead in trying to assure the security of various technologies, notably IoT devices. In health care, one of the groups is the Health Information Trust Alliance (HITRUST), which developed its Common Security Framework to address the many security, privacy and regulatory hurdles facing health care IT.

Consider establishing formal awareness training for all hospital staff members when it comes to IoT devices and their security ramifications. Most if not all hospitals already undertake security training to help employees ward off phishing attempts and other nefarious cybercriminal activities. With IoT consumer devices that might find their way into the workplace, there is a need to stress their many security weaknesses. Some hospitals may even pursue an outright ban on bringing external IoT devices into the workplace.

It is also worth considering creating an entirely separate subnetwork just for IoT devices. In the event of a security breach, this subnetwork and the devices on it can be effectively isolated from the rest of the network infrastructure, thereby limiting access and damage to other hospital systems. Security and network staffing shortages can make setting up such a subnet challenging, but there are excellent third-party experts capable of handling this for you.

Taking Stock

Finally, and most importantly, a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.

As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.

For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.

Listen to the podcast series: 5 Indisputable Facts about IoT Security

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…