9 min read

Healthcare Security: How To Deploy IoT Securely

George V. Hulme

December 20, 2019

Healthcare Security: How To Deploy IoT Securely

The healthcare internet of things (IoT) market is expected to reach 543 billion by 2025 — at an annual growth rate of roughly 20%, according to a report from Grand View Research. Research firm Gartner pegs healthcare IoT growth in 2020 at 29%.

What’s fueling the growth is the thirst for real-time data to help improve health and manage chronic illness. The thinking being monitoring, mobile platforms, and analytics have cut the rate of readmissions of patients suffering from congestive heart failure, diabetes, and blood pressure, Grand View Research said in its statement.

There are a lot of examples of compelling reasons the healthcare industry will want to embrace IoT. IoT has helped hospitals reduce emergency room wait times by more than half only by using sensors and an algorithm that better matches patients to beds. Then there's telehealth and remote use of essential hospital diagnostics equipment that reduce office visits and speed time to diagnosis. Of course, there's improved remote monitoring, better inventory management, and new ways to manage chronic health better.

Other findings from Grand View:

  • In 2018, services held the largest revenue share owing to the high demand for improved decision-making in real-time and uninterrupted data flow between devices and people to uplift the efficiency of medical systems
  • Hospitals and clinics held the largest revenue share in 2018 due to increased investments by hospitals to encourage the usage of digital technologies
  • North America is expected to be the largest market owing to the growing adoption of healthcare IT solutions and the availability of sophisticated infrastructure in the region
  • Asia Pacific expected to witness the fastest CAGR over the forecast period due to growing investments by the pharmaceuticals & medical devices companies and increasing adoption of advanced technologies

So what about security? There are many things healthcare security teams need to do to ensure that their organizations are deploying healthcare IoT securely. 

First and foremost, teams must be aware of what IoT devices are in their environments; as they are added, they need to be brought to the attention of the IT and security team if they were not procured outside the IT department. Of course, rogue devices will make their way into the organization, so it's also crucial to monitor for traffic from unsanctioned devices. This should be done anyway.

It's essential that IT and security teams work to educate all staffers, contractors, and anyone else who may access the network and install rogue devices. It's a common and dangerous misconception held by many that because the devices are related to health that they are secure. It’s just not so.

It's not just the functionality and data of the device itself; it's also that poorly security devices can also be used to launch attacks elsewhere. As Luana Pascu wrote in her post We need IoT security standards, and we need them now; it was poorly secured devices that led to massive “Mirai” denial of service attacks in 2016 when half a million IoT devices were infected with the Mirai malware. The denial of service attacks were strong enough to take down sites such as Twitter and Amazon for an extended period.

In her post, Pascu quoted Bitdefender CEO Florin Talpes, who was speaking during a WebSummit cybersecurity panel, called for IoT security standards. "With all the attack data flowing around, a significant step forward would be for the high-tech industry to adopt communication, privacy, and security standards, as this is a "giant weakness for development today."

Standards in healthcare IoT were discussed in depth at the Healthcare Security Forum held in Boston, MA, earlier this month. According to a story from Jeff Lagasse in mobihealthnews.com, attendees discussed the preferred different approaches between those in the US and Europe.

In his story, he quoted Margie Zuk, senior principal cybersecurity engineer at MITRE, who has been working with the FDA on IoT cybersecurity regulation. She said that the FDA is taking a “whole-community approach to the problem” and cited the Cybersecurity Information Sharing Act and the Department of Health and Human Services task force from 2017 that brought together industry and government leadership to identify the top security priorities.

As we wrote in US DHS and FDA Face Medical Device Security Woes, the FDA detailed how medical device manufacturers should implement what it calls “a structured and comprehensive program to manage cybersecurity risks.” This means manufacturers should, according to the FDA: Have a way to monitor and detect cybersecurity vulnerabilities in their devices, understand, assess and detect the level of risk a vulnerability poses to patient safety, establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”), and deploy mitigations such as software patches to address cybersecurity before they can be exploited.

Since the FDA has updated some of its guidance, as we covered in the FDA Prescribes Safer Path for Connected Medical Devices, and HHS Urges FDA to Do More on Medical Device Security.

While the regulators in the US have (so far) chosen to collaborate with industry when it comes to healthcare IoT and medical device regulations, others want governments to be more heavy-handed. “I think there’s a role to be far more heavy-handed with the vendor community. … And we need regulations to be unified, because the challenges we face are similar. These are not siloed issues to any one country or health system. These are all shared issues,” Lagasse quoted Saif Abed, director of cybersecurity advisory services at AbedGraham as saying.

However, the IoT device manufacturing security eventually shakes itself out over the years ahead; healthcare organizations can't afford to wait. In addition to the preventive controls I mentioned above, healthcare organizations can demand their IoT hardware makers and services providers bring good security practices to the gear they make and deploy.

There are several places to get inspiration. There are the FDA recommendations for medical device manufacturers available here, and there are Canadian guidelines here. Some basics should be demanded of all devices, including no hardcoded passwords, suitable authentication mechanism, data encryption on the device and in transit, and the ability to easily centrally update and manage device configurations.

While governments can do more to help ensure healthcare IoT and medical devices are made securely, providers have an ultimate say: if they see devices aren't inherently secure and manageable, they can choose devices that are.

 

Contact an expert

tags


Author


George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like

Bookmarks


loader