CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

IoT Security Meets Healthcare: What You Need to Know

Much like smart devices have infiltrated and helped spaces like industrial operations and the enterprise, IoT has taken hold in healthcare. The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organizations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process.

Much like smart devices have infiltrated and helped spaces like industrial operations and the enterprise, IoT has taken hold in healthcare. The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organizations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process. All of this was on full display earlier this month at the annual HIMSS (Healthcare Information and Management Systems Society) Conference in Orlando. 

But there’s a big caveat for all the good IoMT can offer. Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional. 

The Issue at Hand 

IoMT DevicesHealthcare providers are beginning to experience higher scrutiny with the prevalence of cyber attacks on healthcare organizations. WannaCry ransomware did significant damage in 2017. Both management systems and medical devices were directly infected, interrupting healthcare services and placing patients at risk. Britain’s National Health Service (NHS) experienced the worst of it, at one point resorting to good old pen and paper. According to reports, the attack cost the NHS almost £100 million and the cancellation of 19,000 appointments. The interesting part is that it wasn’t even the direct target of the attack. Locking down NHS systems was just collateral damage. Imagine if it had been done with intent and precision. 

The incident prompted medical device manufacturers to release security advisories. The FDA in the U.S. also provided its own recommendations. But companies are not obligated to follow them as they are guidelines and not legal mandates. Due to the lack of legal consequences, many manufacturers are not incentivized to add provisions about medical device security in their contracts. Ultimately, healthcare providers using these medical devices are placed in a compromising position, dealing with the aftermath of breaches and cyber attacks due to the general poor risk management.

It’s in the Legacy

But where do these issues stem from? Healthcare organizations believe that most of their security woes come from the flaws in legacy devices more than their implementations — a debatable topic. But digital technology does become old fast, unlike its hardware counterparts, leading to risk for both healthcare providers and patients as updates are slow to roll out and inconvenient to implement over time. 

Additionally, manufacturers don’t allow customers to troubleshoot or patch devices, sometimes voiding warranties if customers do. Add this to devices often lacking encryption and the use of hard-coded credentials, and you have a recipe for potential disaster that is only made worse by generally lax security controls in the healthcare space. 

Best Practices Matter

Advertisement. Scroll to continue reading.

Beyond manufacturer-related security issues, organizational lapses can also negatively affect security. Gaps in security ownership, coupled with poor asset and inventory visibility, actually lead to the greatest risk of a breach, according to a recent KLAS/ CHIME benchmarking report. 

The key to nipping the issue in the bud is to establish a centralized security strategy to anticipate and prevent potential threats, and bridge any gaps across operations. At the core of this effort should rest a robust technology stack that helps manage data, privacy and orchestration of all connected devices and related data. Going back to basics is important. You can’t improve on a system that’s already broken. The importance of ensuring IT deployments experience near 100 percent uptime, are protected against security threats, and are set up to be scalable cannot be overstated. 

How do you do this? It’s about the efficient use of data. The very same data being generated by IoMT devices can be used for monitoring, creating baselines and generally providing a better window into a healthcare organization’s IT setup. With a clearer view into the inner IT workings of a healthcare organization, patient outcomes can improve, fraud can be curbed by noticing anomalous behavior and even billing errors can be avoided with the monitoring of HL7 data transactions. 

New technology like IoMT in any space is always a double-edged sword. But the onus is not on manufacturers alone. It’s up to healthcare organizations to take the initiative to manage and secure their environments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.