How to protect against IoT Security Threats in Healthcare
Even as you finally managed to get your organizational assets and processes sustainably HIPAA-compliant, the healthcare industry exploded with IoT medical devices. You had thought emails, laptops and servers were a risky proposition and now you have patients roaming about wearing tracking bracelets, IoT based insulin infusion pumps and many other smart, connected devices aimed at increased non-intrusive access for remote health monitoring and patient engagement. Lately, there is the trend of modifying existing medical devices to IoMT (Internet of Medical Things) devices.
In recent years, many of the major system breaches have been initiated by insiders. According to the recent Internet of Health Things survey 2017 by Accenture, 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Obviously, the market on the Dark Web is thriving.
Besides stealing of personal information by hackers through a compromised IoT device, cyber-exploitation would involve further harm by enabling attack on the associated network, causing the participation of the devices in Denial of Service Attacks (DDoS) AND interfering with the physical safety of the devices.
Although at-home medical care has been the focus of the IoT based medical devices industry, most healthcare IoT deployments are still internal implementations - within a healthcare organization. Naturally, the devices fall under the purview of HIPAA and Hitech Act.
A further point to consider is the nature of the data itself. The sheer volume, variety and velocity of real time data collected by multiple sensors on multiple devices scattered over a large area makes its storage, security and management a daunting, not to say costly, issue.
Both device manufacturers and health care delivery organisations are equally accountable for cyber security involving IoT enabled medical devices. This involves the protection of health data - at rest, in use and in transit.
While the onus of implementing the necessary security functions in the devices falls on the manufacturer, the healthcare facilities have the responsibility of maintaining a secure internal IT environment. Once in use, a device is expected to be monitored by both entities for possible attacks or intrusions.
Healthcare facilities typically prefer devices managed using Public Key Infrastructure which provides encryption using digital certificates. The devices should have implemented API to for secure connection and should accept software security updates.
The Zero Trust architecture for IT security designed to address lateral threat movement is becoming the norm in all businesses concerned with sensitive data. Based on the mindset “never trust, always verify”, this strategy is about validating the user, verifying the device, giving the user just the exact privilege for the task at hand and finally, using analytics and machine learning to improve the definition of what is risky behaviour and what is not, in the given context.
End-to-end cloud solutions by major companies like Intel, Amazon, Qualcomm, Azure etc claim to be able to work with a variety of devices, literally millions of them, receive millions of messages per second, all the while keeping track of and communicating with all devices. They all claim to be compliant with the rules of HIPAA/HITECH, HITRUST (CSF) and PCI DSS amongst others and are therefore considered safe options for reliable and secure cloud to device, device to device and device to cloud communication.
Obviously not.
At the Gartner Symposium/ITxpo, one of the findings presented by Gartner was that through 2020, 95 percent of cloud security failures will be the customer's fault. As a healthcare provider, you cannot assume that your responsibility is over once a secure cloud solution is put in place. The type of device and technology you are connecting with, the kind of data created, stored and permitted access to and flowing all across your network are all critical points to be examined thoroughly beforehand. It is important to analyze how these smart devices interact with the data in your healthcare ecosystem as well as how the humans involved – users, staff and associates do the same. The system will need to be configured to suit the particular workload.
Here are some tips for proactive protection at healthcare facilities when introducing IoT devices:
Healthcare organizations are being forced to walk a tightrope, trying to provide transparency and satisfaction to consumers while striving to prevent the relentless hackers from compromising patient information. Cybersecurity should not have to wait until an incident occurs and reputation, built up in years, goes up in smoke.
Related Articles