A computer generation or two ago, IT managers fought a futile uphill battle to prevent rogue PCs from infiltrating the workplace, a battle fought largely in the name of data security. Their thinking was that if IT couldn’t manage it, they couldn’t secure it. Is history repeating itself with health care IoT devices?
Fast forward to the present health care environment. A new generation of digital devices, some authorized and others not, are flooding into hospitals. These Internet of Things (IoT) devices run the gamut, from highly sophisticated patient telemetry devices to smartphone-controlled outlets that remotely turn lights on or off. These devices two things in common: They are connected via the internet to send and receive data, and they rank among the most insecure digital devices anywhere. As a result, these connected devices should be the main source of concern in hospitals.
Are Health Care IoT Devices Secure?
How vulnerable are some of these health care IoT devices? Consider last year’s highly publicized attack on Dyn, an internet backbone provider. Instead of going directly at their target, the attackers used a piece of malware called Mirai, which automatically discovers IoT devices — in this case, about 100,000 of them. Many were no more sophisticated than security cameras and baby monitors. The fraudsters then essentially lashed these compromised devices into a vast botnet, which was used to launch a successful distributed denial-of-service (DDoS) attack against Dyn, knocking out service for millions.
In hospitals, there are two kinds of IoT devices: those purchased by the hospital for patient care, and those increasingly brought into the workplace as convenience devices. Both types are often linked directly to the hospital’s Wi-Fi, which is often part of a flat network topology connecting all the hospital’s digital devices. It is entirely possibly for cybercriminals to gain access to that network via the less secure convenience devices.
Bear in mind that the growth expectation for IoT devices rival that of any other class of digital devices in history. Gartner estimated that the 8.4 billion IoT devices in use this year are up 31 percent over 2016, and said it expects that figure to swell to an astonishing 20.5 billion in 2020. Roughly 60 percent of these devices will be sold to consumers, while the remainder are special purpose business devices. To keep the consumer versions cheap, manufacturers make them with little to no security standards, and they usually arrive with very weak default passwords that few consumers bother to change.
Securing Insecure Devices
Given this unstoppable tsunami of IoT devices, there are several practical steps that health care IT professionals ought to consider in the interests of cybersecurity. First, understand that certain industry-specific groups are taking the lead in trying to assure the security of various technologies, notably IoT devices. In health care, one of the groups is the Health Information Trust Alliance (HITRUST), which developed its Common Security Framework to address the many security, privacy and regulatory hurdles facing health care IT.
Consider establishing formal awareness training for all hospital staff members when it comes to IoT devices and their security ramifications. Most if not all hospitals already undertake security training to help employees ward off phishing attempts and other nefarious cybercriminal activities. With IoT consumer devices that might find their way into the workplace, there is a need to stress their many security weaknesses. Some hospitals may even pursue an outright ban on bringing external IoT devices into the workplace.
It is also worth considering creating an entirely separate subnetwork just for IoT devices. In the event of a security breach, this subnetwork and the devices on it can be effectively isolated from the rest of the network infrastructure, thereby limiting access and damage to other hospital systems. Security and network staffing shortages can make setting up such a subnet challenging, but there are excellent third-party experts capable of handling this for you.
Finally, and most importantly, a complete inventory of all IoT devices must become part of an overarching security risk assessment. You cannot manage or control what you don’t know exists. Only an assessment can yield this kind of information, with details on each device.
As more IoT devices enter the hospital, they need be systematically cataloged and incorporated into the broader security-focused inventory. As part of the risk assessment, consider conducting penetration tests of IoT devices — the results of which can serve as proof points for gaining support for security measures.
For practical purposes, there is no holding back the flood of IoT devices, both authorized and otherwise. The best security strategy is to get out front of this wave with practices and governance designed to secure what is already in place as well as what’s coming.
Listen to the podcast series: 5 Indisputable Facts about IoT Security
Associate Partner, Security Strategy Risk & Compliance, IBM
With more than 25 years of technical expertise, Dr. Mike Ash has experience in all phases of complex information systems lifecycle and product management. He...