With the incidents of healthcare-industry cyberattacks and data breaches increasing, the issue of medical devices that are connected via the Internet of Things (IoT) will surely be coming more and more into the spotlight. The reason is clear: Those IoT medical devices are all interconnected on their own “Web,” and carry their own digital signatures, IP addresses, and, most distressingly, patient medical data that can be hacked, read, exploited and dumped by predatory cybercriminals. According to Forrester research analyst Chris Sherman and his May 2016 report on the growing crisis, Healthcare’s IoT Dilemma: Connected Medical Devices, “You have less control over connected medical devices than any other aspect of your technology environment. Many times, vendors control patch and update cycles, and vulnerabilities persist that require segmentation from your network. Considering that many of these devices are in direct contact with patients, this is a major cause for concern.”
Surgeons in action
Indeed, but here are 5 ways to protect medical devices on the Internet of Things from cyber breach or data exploit:
Categorize potential cyberattack risk of existing devices. Once electronic medical devices are placed on wireless networks, they become part of an interlinked (and hackable) system. A website like Shodan, a.k.a. “The search engine for the Internet of Things,” catalogs devices on the IoT and exposes myriad searchable endpoints globally that lack proper security. Medical device security watchdogs should then use sites like Shodan to calculate the riskiness of having that heart monitor, CAT scanner or IV-drip on the IoT and step up their security accordingly.
2. Establish a clinical risk management framework. This one rightly follows on the heels of number one, as it is sequentially relevant and is based on language in the Sherman/Forrester report that calls for a risk-management “framework [that] focuses on how to manage and balance risks associated with safety, effectiveness and data/system security. It will help you determine the risk levels of your medical devices, mitigate and control that risk, and ultimately bring the risk exposure of your hospital network to acceptable levels.”
Ensure your enterprise or organization follows strict security “hygiene”. The Forrester Research report states that the great majority of healthcare data breach cases in recent years were due to “social engineering and spear-phishing attacks”. This shows that there needs to be a deep awareness of corporate culture within vulnerable industries, and tighter controls on employee access and greater recognizance of the aforementioned cyber threats and attacks. Security control in healthcare needs to adopt “frequent, relevant, and engaging communication to ensure [their] workforce doesn’t miss security messages,” according to the report.
Arrange security requirements in new device requests’ proposals and contract verbiage. It’s important to note that as potential customers, healthcare organizations DO have the power to get manufacturers of vulnerable devices to agree to special security requirements in proposals and contracts for IoT-connected device rollouts or upgrades.
Implement a no-tolerance, zero-trust networking policy. This relies on the fact that you can’t control what’s coming at your data network from “out there,” but you sure can control how you respond from within your organization. Adopting ubiquitous security procedures rather than just perimeter measures; including risk-based, segmented devices, and enforcing zero-trust policies that vet-out any conceivably possible cybersecurity threat will help cement across-the-board security measures that protect healthcare data networks far better than mostly passive, perimeter controls.
The Forrester Report ends on this note: Although tech innovation in healthcare holds great promise to improve the “quality and speed with which patient care is delivered, the unfortunate reality is that security is all too often an afterthought in the design and development of these innovative new technologies. This is especially true for IP-enabled medical devices.”