The installed base of healthcare IoT devices (not including wearables, such as fitness devices) is expected to grow from approximately 95 million in 2015 to 646 million in 2020, according to BI Intelligence’s The Internet of Things Ecosystem Research Report 2016. It’s evident that healthcare organizations must seriously consider the risks that the use of these IoT devices can pose and determine how to effectively secure their increasingly distributed healthcare environments.
IoT is growing in the world of healthcare
There are two sides to IoT in hospitals – the customer experience side and the administration/clinical side. It has truly become a consumer market for hospitals and other healthcare institutions. Organizations are being expected to provide new and improved patient care capabilities across the board, including hotel-like amenities. Patients are demanding the same comfort level they have when they’re at home. That includes high-speed wireless for devices and access to Hulu and Netflix while sitting in bed. If you’re going to spend any amount of time in a hospital, you want to be comfortable. People can choose what hospital they go to, and they are choosing based not only on the quality of the care but on the quality of the services provided.
IoT on the administrative and clinical side of the house
Healthcare has been at the bleeding edge of IoT long before IoT was a household word. Doctors had pagers, then cell phones, before most people did. They have had PCs at every turn; now it’s smart phones and tablets. Doctors don’t even carry medical documentation with them anymore. They get pharmacology reports, lab results, even medical and diagnostic images, on their devices. Long gone are the days of patient charts hanging at the end of the patients’ bed. Instead, all patient data is entered into a computer that can be accessed by the entire medical team.
Then there are the medical devices. The next time you go into an ER, look around and count how many electronic devices are there. One issue is that the FDA regulates all medical devices that plug into the network (infusion pumps, EKGs, MRIs), so it is painful to update them. The latest and greatest software cannot be easily added and, even worse, most of these devices don’t have encryption. So, for these institutions, one of the biggest challenges is securing these devices.
The dangers of IoT in hospitals
The first draw for cybercriminals is the data, and there is a lot of it. The longer someone stays in the hospital using their wireless devices, the more data is generated. And the medical devices themselves are constantly feeding information back and forth, so there is an extraordinary amount of meta-data. What makes it even more challenging is the fact that this data is the most expensive and most coveted on the Dark Web. Healthcare client records go for between $400 and $500 per record, versus a credit card record at just $4; you can see why the attacks continue to mount.
Then there is the danger of medical devices being hacked. Imagine an infusion pump in the ICU. A nurse sets the prescribed infusion rate of a medication, but someone hacks the device and starts pumping four times that rate into the patient. This can cause damage, paralysis – even death. All the while, the pump reads the original dosage. This is, of course, similar to what happened with Stuxnet in Iran. Stuxnet took control of centrifuges that were separating nuclear material and ran them at a much higher speed than was safe until the centrifuges tore themselves apart. Then Stuxnet got out “into the wild” and opened the door to the virus-related security challenges we have now.
What healthcare organizations need to consider
IoT takes your attack plane and flattens it. It makes everything accessible, it makes everything suspect, and there should be zero trust with regard to anything that needs to be PCI and HIPAA compliant.
Security products today must address these issues and should provide integrated solutions that incorporate enterprise firewalls, internal segmentation firewalls and advanced threat protection. New software is able to tie the information from these devices together, from endpoint devices all the way through to electronic medical records. Doing so enables application awareness, making it easy to identify what applications are running within the medical practice. Internal segmentation allows IT teams to lock up all devices for PCI and HIPAA compliance so they can do their job while safely traversing the network.
Another important step in the puzzle is analytics. It’s not good enough anymore to be a reactionary IT department; IT today must be proactive. This includes having a sandbox that proactively scans all the servers on the network to identify advanced threats that may have slipped through.
As far as the healthcare industry goes, security information and event management (SIEM) technology should be required. When a breach could put hundreds or thousands of patients’ sensitive information at risk, and cost an organization millions, real-time monitoring across your network and the ability to respond immediately to an event are crucial. Some of the recent mega-breaches we’ve seen in retail and other areas could have been avoided, or at least mitigated, if they had been monitoring and questioning unusual traffic within their networks. If you do not have a system that is proactively monitoring sensitive areas so you can respond to threats quickly, then you’re doing your organization, and your patients, an injustice.
About the Author
Susan Biddle is the Sr. Director of Healthcare at Fortinet. She is a high technology and healthcare marketing executive with over 15 years’ experience driving new solutions from concept to market, managing diverse cross-functional teams and developing highly-effective marketing programs. Biddle is a results-oriented professional with expertise in strategic planning, market segmentation and research methodologies. She has a strong background in product & solutions marketing, demand generation and key IT infrastructure solution areas for the health and life sciences industry, such as translational research, digital health and connected care.
Edited by Alicia Young