Learning From Health Care’s IoT Security Strategy

Spending on the internet of things (IoT) is expected to soar to $1 trillion worldwide by 2022, according to an International Data Corporation report. Companies in virtually every industry are deploying IoT devices, such as smart TVs in conference rooms, connected machine sensors in factories and wearable devices in hospitals. But deploying these devices without the necessary built-in security is putting enterprises at great risk.

IoT devices, after all, represent inroads into your network, with additional endpoints that may entice bad actors. If your company’s devices are hacked and exploited, it could jeopardize the online security of your customers, partners and employees. The consequences can be costly and include lost productivity, legal damages and a tainted reputation.

While IoT devices are increasing in multiple industries—and all industries must take IoT security seriously—perhaps none more so than health care. Health care is at the top of the list of industries at risk of cyber attacks due to the sensitivity and quantity of personal information gathered from electronic personal records. Because of this, the healthcare providers and manufacturers are rapidly seeking security protections for the growing number of connected devices entering the industry.

The U.S. Food and Drug Administration (FDA) is leading the way by encouraging collaboration and by providing guidance to manufacturers on how to handle cybersecurity in both pre- and post-market environments. Much progress has been made, and many organizations are leading the way in this effort, but we still have a long way to go.

Let’s explore three best practices we see the healthcare industry adopting that businesses in any industry can leverage to strengthen their IoT security strategy.

Include Security Requirements in IoT Vendor Guidelines

The risks inherent with unsecured connected devices are indisputable for all industries, and health care is certainly no exception. In health care, in fact, these risks have the potential to impact the delivery of critical care to patients, putting their lives at risk.

The stakes are high. An estimated 161 million IoT devices, including life support machines and wearables to monitor patient health, will be used in hospitals and other healthcare facilities by 2020, according to Statista research.

Healthcare organizations have taken action to guard against multiple security risks, including tackling IoT devices at their source. The Mayo Clinic was at the forefront of this, developing in 2014 procurement guidelines that dictated security requirements for suppliers of medical devices and healthcare technology. The Mayo Clinic is a globally renowned institution, and when it establishes cybersecurity procurement guidelines, healthcare facilities worldwide begin to follow suit.

The proposal package the Mayo Clinic requires from prospective IoT vendors includes a statement describing the security and risk management of the device, a device architecture diagram, information on how the device will be set up and managed within the Mayo Clinic environment and a vulnerability assessment with a remediation plan and timeline.

Businesses in other industries can learn from the Mayo Clinic’s example and integrate security requirements into their procurement process. IoT device procurement guidelines should cover:

  • Eliminating default passwords—an especially serious problem, since many people neglect to change them.
  • Always using proper authentication of users and services connecting to a device.
  • Guidance on patching devices with security updates.
  • Encryption of all sensitive data.
  • A full risk assessment, with a risk device profile that includes penetration testing results.

Don’t Procure IoT Devices Unless They Meet Security Standards

In October, the FDA issued pre-market guidance for medical devices that could pose cyber risks. Shortly after, Health Canada released its own recommendations for medical device manufacturers to reference during product development.

In the best-case scenario, device manufacturers should build the necessary security into their products during design. However, that doesn’t happen as often as it should.

As a result, one of the biggest challenges for enterprises is how to incentivize device manufacturers to ensure the security of their products. Establishing security requirements is a good first step. The next is to not purchase IoT devices from vendors that don’t meet your security standards. This is true at Mayo Clinic, where such vendors lose the potential contract.

This action has caused many IoT device vendors that supply devices to healthcare organizations to begin doing the right thing and making security an integral part of the development of their devices. As more companies in other industries adopt this approach to ensure device, and therefore, data protection, we will see greater adoption from device manufacturers. Market pressure will drive IoT device vendors to include security in the design and development of devices or face losing business.

Shut the Digital Front Door

People used to be able to physically enter the front door of a business, go into a conference room and plant devices to eavesdrop. Today, the connectivity of IoT devices acts as the new front door for hackers. Allowing those connected devices to sit unsecured on a network is like putting out a welcome mat.

Don’t make it easy for bad actors. Review and tighten your company’s security policies. Don’t use the default—and easily guessable—passwords if devices come from the manufacturer with them. Leverage authentication best practices. And always encrypt sensitive data at rest and in transit.

Kaiser Permanente’s then-chief security officer and chief technology risk officer, Jim Doggett, addressed encryption in a conversation with Healthcare IT News. He said that the company encrypts data on endpoint devices and sensitive data in transit, and noted it’s a challenge for many industries because the quantity of data is huge.

Salt Lake City-based Intermountain Healthcare realized its digital front door was ajar the day an audiology device from an unknown manufacturer went missing, according to an IoT Agenda article. Chief Information Security Officer Karl West couldn’t verify the details about the device, including its operating system. He tracked down the device but discovered it contained 2 1/2 years of patient data.

The organization now tracks all data objects via a data dictionary, which offers more security and detail than a simple device inventory would. Intermountain collects categories of risk and has an inventory of all medical devices that focuses on the data.

Apply Healthcare Best Practices to Your Business

Unsecured IoT devices put enterprises and the data of their customers, partners and employees at great risk. If measures aren’t put into place, vulnerable devices will expand the attack surfaces of enterprise networks unnecessarily.

Individual businesses and industries, working together, can take control of their IoT security requirements by demanding that manufacturers act responsibly. Setting security procurement guidelines, purchasing only from manufacturers that abide by them and securing their digital front door will help protect businesses from IoT security risks.

Featured eBook
SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS threat hunting experts Mathias Fuchs and Joshua Lemon capture the different needs within organizations that are just starting their threat hunting journey, versus those who are honing their skills and programs. Read the report to help grow your program and improve threat hunting with: Definitions of threat hunting Methodologies of performing threat hunting Spending ... Read More
Authentic8

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 3 posts and counting.See all posts by mike-nelson