By Brian Wells, CTO, Merlin International
How Healthcare Organizations Can Reduce the Cybersecurity Risks of IoT
The increasing adoption of IoT
If you walk through the corridors of a hospital today, you will inevitably be surrounded by the Internet of Things (IoT). From X-ray machines to heart monitors to even HVAC units and refrigerators, healthcare organizations are turning to connected devices and machines to provide not only better care, but an improved “patient experience.”
Because of this, the IoT’s presence within the industry is expected to increase rapidly for the immediate future: The IoT healthcare market is growing 30.8 percent every year, and is projected to reach just over $158 billion by 2022, up from $41.22 billion this year, according to research from MarketsandMarkets.
By 2018, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently present within 64 percent of organizations) followed by energy meters (56 percent) and X-ray/imaging devices (33 percent). Four of five executives expect IoT to encourage more innovation, while about three-quarters anticipate that it will expand organization-wide visibility and boost cost-savings.
Proactive steps to prevent security breaches
Yet, there are concerns about the technology, as 89 percent of healthcare organizations have suffered from an IoT-related breach, according to the Aruba research. Hackers are well aware, of course, that IoT brings new vulnerabilities, and they are eager to exploit them. In April, testimony from a top Merck & Company cybersecurity executive before the House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee validated the concerns.
“In just the last few years … we’ve seen more than a hundred million health records of American citizens (compromised or threatened) in a couple of well-publicized incidents,” said Terry Rice, vice president of IT risk management and chief information security officer (CISO) at Merck. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems. Unfortunately, I believe these incidents underrepresent the risk we are facing.”
Given the developments, healthcare CISOs and their teams should consider the following proactive steps to prevent horror movie-like “Attack of the Connected, Wild Things” scenarios – steps that respond to both the technological and human-focused elements of this emerging technology:
You should create a dedicated, separate network for IoT. With a segmented architecture entirely fortified by its own firewalls, you ensure that IoT devices will never interact with the rest of your enterprise network environment – including patients’ personal information, fiscal reports, HR records, etc. Connected devices and machines will strictly communicate with the servers which support them, and the ports and destinations they serve. Thus, if attackers compromise them, there’s only so much damage they can do, because their activity and malware is sealed off from everything else.
Establish controls over implementation
Frankly, organizations are taking an “anything goes” approach with IoT – one that undermines their ability to properly oversee and control it. A facilities manager, for example, could decide to install a connected alarm system in the elevators. An anesthesiologist may plug in a new product to see how it works. Hospitals win research grants all the time, and these grants often arrive with IoT-enabled technologies to assess.
In too many cases, however, all of this takes place without bringing in the CISO. Non-IT executives approve of an acquisition, and their staffers simply “plug in” without thinking of whether they’re introducing new vulnerabilities. So, clearly, CISOs must work with C-suite leaders to come up with policies which will require the involvement of security teams with any IoT initiative, large or small, with threat vigilance always incorporated into the process.
The CISO’s mantra, “You can’t protect what you can’t see,” is more relevant than ever. It’s difficult to protect the enterprise, after all, if you don’t know who is plugging in what, and where. Through the effective, organization-wide visibility of all systems activity, you will receive notifications every time new IP addresses show up. When they do, you can verify whether they are properly sealed off within your segmented, IoT network. If they aren’t, you can shut them down until IT can locate them and redirect them to the segmented network.
Maximizing the benefits of IoT
As always, hospital executives, doctors, nurses and additional staffers are dedicated to delivering the best care available for their patients. More than ever, they’re discovering that IoT is making this possible. But to maximize the benefits of these innovations without placing the network, systems and data at risk, IT must collaborate closely with operations/business units so IoT is sufficiently segmented, and nothing is introduced which can harm anything outside of its own, contained ecosystem. In other words, you can take advantage of many “good things” through these devices without unleashing an army of “wild things.”