In recent years, the internet of things has drastically improved patient care in the healthcare industry. Whether monitoring temperature, automatically alerting physicians or doing something else entirely, these devices allow doctors and treatment facilities to track real-time data feedback more intensely than ever.
However, these innovations can also pose a significant risk to enterprise security efforts. Consider that the average cost of a healthcare organization data breach exceeded $3.6 million last year — that’s $380 per individual data record! No other industry spends more to recover from data losses.
So, why has healthcare struggled to make IoT safe? More than anything else, signs today point to two primary industry challenges: device manufacturer priorities and network access security.
Utility over security
In today’s IoT marketplace, devices are being manufactured at a blistering pace to keep up with this technology’s skyrocketing popularity. As healthcare organizations rush to adopt and implement these next-generation data devices, the priority for global device makers has shifted toward convenience and ease of use to eliminate enterprise deployment downtime. Unfortunately, this means security usually falls far lower on the priority list than it should.
In fact, many healthcare professionals believe IoT technologies are responsible for the industry’s recent uptick in data exposure and breach incidents. Last year alone, medical devices vulnerabilities increased 525% — a concerning fact to say the least.
Even in today’s turbulent digital climate, most IoT devices aren’t designed to have passwords or encryption capabilities. That means most healthcare organizations implement these devices before cybersecurity teams have a chance to ensure they won’t harm enterprise network and data security. Compared to 2016, the healthcare industry saw a 211% jump in disclosed cybersecurity incidents last year — many of which were caused by failures to address IoT’s prevalent software vulnerabilities.
Connected imaging systems, for example, have become major security threats to today’s healthcare technology ecosystem. In 2017, 65% of all healthcare-related ransomware infections targeted these less-than-secure systems, and 45% of all IoT device-related security alerts were issued from these innovations.
In addition to the absence of manufacturer security standards, IoT technologies are also rarely updated whenever new risks are identified. This fact, when combined with the inability for these devices to generate alerts or monitor system integrity in most circumstances, means fewer and fewer healthcare providers have visibility into how their IoT program is truly performing. Even if an organization uses security software, like mobile device management, 64% fail to enroll every enterprise IoT endpoint anyway.
A need for network security
Device-level protections aren’t the only serious challenge in healthcare’s never-ending IoT security search, though. Defending internal networks from infected endpoints trying to breach data or cause system failure is something this industry’s IT professionals deal with on a continuous basis.
Unfortunately for these employees, most IoT devices don’t include controls to protect their connected network from threats should an emergency scenario occur. Instead, organizations are forced to identify alternatives if they wish to increase security and reduce potential IoT risks. While 95% of healthcare executives are confident their practice is completely safe from cybersecurity threats, only 36% have access management policies and only 34% have a formal cybersecurity audit currently in place.
IoT network security is complex because these devices don’t connect to just one location like traditional business technologies — segmenting and/or isolating IoT traffic is a complex task. Plus, few devices can even be configured to deny network access by default.
And, since network security is such a time- and resource-heavy task, it’s not uncommon for healthcare organizations to deploy more devices than they can implement and operate safely. Considering only 31% of the industry plans to train its employees on IoT security practices or establish formal IoT device policies this year, it’s no wonder hackers see these companies as unusually easy targets compared to most other industries.
That said, IoT’s business benefits and disruptive healthcare potential tend to outweigh these rather sizable risks in the mind of most industry decision-makers. If your organization is struggling to manage IoT security, here are a few tips you can use to improve program protections:
Keep track of all tech
Without an accurate inventory of all network-connected technologies, it’s impossible for healthcare organizations to completely safeguard IoT. If your company isn’t already maintaining one, make sure it starts keeping track of things like vendor name, model and serial number, version, physical location, support contacts or any other relevant data points that can help you quickly identify a device and minimize the damage it does in a worst-case scenario.
Additionally, this allows an IT team to stop infected devices from being used as pivot points — devices that an attacker uses to distribute a security threat across an entire corporate mobility environment.
Pre-authorized security teams
When an IoT intrusion happens, IT needs to act fast if there’s any hope of protecting sensitive data. By pre-authorizing trained and specialized security experts, a healthcare organization can remove its network’s most vulnerable devices and sensors as soon as possible. If an attack happens, this policy also helps maximize protections to (hopefully) quarantine any malicious device activity.
Since IoT devices lack so many protections other mobile technologies have, it can be beneficial to manage them in a unique way. If that’s the case where you work, the easiest solution involves creating a separate, IoT-specific network. While this maximizes IoT network and program protections, it’s also not feasible for healthcare organizations that rely on data flows and integrations between multiple systems.
The more advanced (and effective) approach is a combination of encryption and network access restrictions. Using this method, enterprises can protect data in transit or at rest while ensuring only authorized devices can access networks and communicate across them.
Have a plan
You’d be surprised how far a little IoT prep work can go. Most healthcare companies are so worried about keeping up with the latest technology that they forget to simultaneously prepare backup systems and devices. That makes it much more difficult to perform large-scale updates, deployments or any other activity that could potentially take devices out of employees’ hands for an extended period.
Knowing how to secure a device and manage it in the event of complete failure is also important because no technology is ever 100% safe. If a device or a network unexpectedly goes offline, enterprise leaders need to know how to react if they want to minimize the organization’s recovery time.
Improve visibility first
Advanced IoT devices are tremendous enterprise tools, but if you can’t uncover or interpret the insights and feedback they provide, it’s ultimately a wasted technology. Without visibility, there’s no way to identify trends, uncover risks or know which countermeasures are the best for a specific situation.
A network monitoring platform built for IoT is something every organization needs to have. By creating and utilizing one, an organization’s IT administrators can keep track of every connected device and corresponding network — including what state they’re in and whether there are any immediate threats that require action.
IoT is just beginning to make its mark on the healthcare industry. Moving forward, will these organizations overcome the technology’s greatest challenges, or will hackers and cybercriminals continue to take advantage of the confusion and complexity instead?
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.