How to protect against IoT Security Threats in Healthcare

Ann

Even as you finally managed to get your organizational assets and processes sustainably HIPAA-compliant, the healthcare industry exploded with IoT medical devices. You had thought emails, laptops and servers were a risky proposition and now you have patients roaming about wearing tracking bracelets, IoT based insulin infusion pumps and many other smart, connected devices aimed at increased non-intrusive access for remote health monitoring and patient engagement. Lately, there is the trend of modifying existing medical devices to IoMT (Internet of Medical Things) devices.

The enemy inside…

In recent years, many of the major system breaches have been initiated by insiders. According to the recent Internet of Health Things survey 2017 by Accenture, 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Obviously, the market on the Dark Web is thriving.

Besides stealing of personal information by hackers through a compromised IoT device, cyber-exploitation would involve further harm by enabling attack on the associated network, causing the participation of the devices in Denial of Service Attacks (DDoS) AND interfering with the physical safety of the devices.

IoT medical (IoMT) devices and HIPAA

Although at-home medical care has been the focus of the IoT based medical devices industry, most healthcare IoT deployments are still internal implementations - within a healthcare organization. Naturally, the devices fall under the purview of HIPAA and Hitech Act.

A further point to consider is the nature of the data itself. The sheer volume, variety and velocity of real time data collected by multiple sensors on multiple devices scattered over a large area makes its storage, security and management a daunting, not to say costly, issue.

The device manufacturers or the healthcare providers?

Both device manufacturers and health care delivery organisations are equally accountable for cyber security involving IoT enabled medical devices. This involves the protection of health data - at rest, in use and in transit.

While the onus of implementing the necessary security functions in the devices falls on the manufacturer, the healthcare facilities have the responsibility of maintaining a secure internal IT environment. Once in use, a device is expected to be monitored by both entities for possible attacks or intrusions.

Healthcare facilities typically prefer devices managed using Public Key Infrastructure which provides encryption using digital certificates. The devices should have implemented API to for secure connection and should accept software security updates.

The Zero Trust architecture for IT security designed to address lateral threat movement is becoming the norm in all businesses concerned with sensitive data. Based on the mindset “never trust, always verify”, this strategy is about validating the user, verifying the device, giving the user just the exact privilege for the task at hand and finally, using analytics and machine learning to improve the definition of what is risky behaviour and what is not, in the given context.

IoMT Platforms

End-to-end cloud solutions by major companies like Intel, Amazon, Qualcomm, Azure etc claim to be able to work with a variety of devices, literally millions of them, receive millions of messages per second, all the while keeping track of and communicating with all devices. They all claim to be compliant with the rules of HIPAA/HITECH, HITRUST (CSF) and PCI DSS amongst others and are therefore considered safe options for reliable and secure cloud to device, device to device and device to cloud communication.

Is that all it takes?

Obviously not.

At the Gartner Symposium/ITxpo, one of the findings presented by Gartner was that through 2020, 95 percent of cloud security failures will be the customer's fault. As a healthcare provider, you cannot assume that your responsibility is over once a secure cloud solution is put in place. The type of device and technology you are connecting with, the kind of data created, stored and permitted access to and flowing all across your network are all critical points to be examined thoroughly beforehand. It is important to analyze how these smart devices interact with the data in your healthcare ecosystem as well as how the humans involved – users, staff and associates do the same. The system will need to be configured to suit the particular workload.

Here are some tips for proactive protection at healthcare facilities when introducing IoT devices:

  • Securing the internal IT network environment, even using a separate network with secure, dedicated web gateways and staff
  • Seamless integration of the various devices to the IoT platform and of the platform to the facility’s relevant enterprise applications
  • Implementing security recommendations from the device manufacturer
  • Implementing intrusion detection, defenses etc isolating the network, preventing traffic from unauthorized IP addresses
  • Increasing awareness among staff and patients regarding the risks, since the safeguards are not for just cyber risks but also physical as well as administrative ones.
  • Two-factor authentication system, already a standard for HIPAA compliance
  • Careful validation of any (C)OTS (Commercially Off The Shelf)/SOUP (Software of Unknown Provenance) software that you propose to use
  • A system and processes put in place for monitoring and inventorying the IoT devices in the network, also to ensure that the device security patches are up-to-date. For example, rather than settle for default settings, restricting shared device data from leaving the premises or creating necessary user groups, location based access etc to suit the context.
  • Changing of default user names/passwords and turning off devices when not in use.

In conclusion...

Healthcare organizations are being forced to walk a tightrope, trying to provide transparency and satisfaction to consumers while striving to prevent the relentless hackers from compromising patient information. Cybersecurity should not have to wait until an incident occurs and reputation, built up in years, goes up in smoke.