This article was originally published in DOTmed here: https://www.dotmed.com/news/story/42548
The number of IoT devices used in the healthcare industry is exploding.
These interconnected devices can streamline healthcare processes, add safety measures, and improve patient outcomes. IoT adoption rates are rising so quickly that analysts predict that the healthcare IoT market will experience a 30 percent compound annual growth rate from 2017 to 2022.
Everything from insulin pumps to MR machines is now collecting, storing and transmitting data. To fully realize the benefits from IoT devices, healthcare companies face the challenge of securing these devices, as well as the HIPAA information these devices collect.
Why are IoT devices difficult to secure?
Organizations are struggling to locate and lock down IoT devices because most current firewalls and security solutions cannot see and secure these types of technology. Why is IoT security so much more challenging? IoT devices are designed differently than laptops or mobile phones. Many of these devices are “headless”, which means they do not have a specific user or input device. Hackers scan networks looking for security gaps, and many IoT devices are an easy target because:
• IoT devices automatically connect to the internet to send information to manufacturers and/or share information with other devices – sometimes without owners even realizing these devices are connecting outside the internal network
• Many IoT devices have no “user”, so most firewalls – the first line of defense – cannot “see” or protect these products because they can’t authenticate headless devices
• There is no common platform and operating system for these devices, and most IoT devices lack the memory and processing power for meaningful security
• Many IoT devices have no inherent security built in, or have weak IoT authentication and authorization protocols that cause a security gap
• Some IoT devices have hardcoded PINs in the firmware that cannot be patched or updated, so once the PIN is discovered, it is a permanent security gap
Unsecured or poorly secured endpoint devices, such as IoT applications, are one of the weakest points in the network. Without good network segmentation, a hacker that infiltrates one of these endpoints can move laterally within a healthcare organization’s network to steal data resulting in HIPAA violations and fines, or worse, impacting the very lives organizations are trying to protect
Solving the IoT challenge
Securing IoT devices is a challenge that needs to be on every healthcare organization’s priority list. A recent Ponemon Institute survey found that 46 percent of organizations (likely, most likely or definitely) have already experienced an attack due to insecure IoT devices. Healthcare organizations can close the gap with three key steps:
1) Know what IoT devices are connected to the network. This sounds simple, but only 15 percent of organizations have an inventory of most of their IoT applications. Since organizations cannot protect what they cannot see, healthcare organizations need a live inventory of every IoT device connected to their network. This report will detail what devices are connected and where the devices are located, as well as other information, such as operating systems and software versions. When running a live inventory, most organizations find multiple rogue or unknown devices connected to their network. The latest generation of network access control solutions provide visibility into ALL devices including IoT.
2) Establish network access control policies for all devices. Once organizations have identified what devices are connected, using a Network Access Control (NAC) solution can control the amount of access and the behavior of connected devices. It not only monitors the behavior of devices, but also automates the process of adding new devices to the network. Strong network access control policies also provide a HIPAA-compliant security control that can enforce appropriate information access policies, by person or device, for personal and medical mobile devices such as iPads or smartphones. In addition, many NAC solutions can also simplify network segmentation. Splitting the network into different smaller sections and limiting access is an important way to protect sensitive data in case of a breach. Sensitive data can be placed in separate network segments and isolated from common network areas for guests, contractors and non-medical IoT devices, such as security cameras, HVAC sensors and office equipment.
3) Automate the threat response process. Today’s network breach goes undetected in the network for an average of 191 days, then companies require another 66 days for containment. This leaves hackers with plenty of time to search the network and steal valuable information. With organizations facing hundreds, if not thousands, of alerts per week, it’s difficult to separate the real alerts from the noise, then it takes hours or days to research each issue. One of the ways to streamline event resolution is to integrate with other security solutions to ingest multiple sources of log data to accurately separate real security events from false flags. A second benefit of automated threat response is that advanced solutions can correlate each event and the contextual information around the event (the who, what, when and where information) into one alert, to dramatically decrease the amount of time required to investigate and remediate security incidents. The third benefit is that automated threat response can immediately quarantine a device that is acting suspiciously to protect the network while the event is under investigation.
As healthcare organizations continue to incorporate IoT devices, it is crucial to safeguard the network, patient data and patient lives. By identifying and automatically closing network security gaps, organizations can benefit from the advantages IoT devices deliver, while compensating for weak device security.
*We value your privacy and use a variety of security measures to protect your personal information.
Our email is permission-based and we will only send you relevant information.