This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Exploring the Wide-Ranging IoT Risks in Healthcare
Cyber Security NewsHospitals & Medical Centers

Exploring the Wide-Ranging IoT Risks in Healthcare

While impacts may vary, risk mitigation strategies work in all domains.

health
March 13, 2018
Clyde Hewitt
KEYWORDS data breach / hospital security / Internet of Things / IoT Security
Reprints
One Comment

In today’s world, the Internet of Things (IoT) is ubiquitous and holds great potential, but also brings security concerns. While IoT devices are being used across industries, the healthcare industry’s experiences with insecure devices provide valuable lessons to heed.

Recent advances in cancer treatment are due in large part to providers using very advanced chemotherapy that targets specific types of cancer cells. Determining the right compound, dosage, and infusion schedule requires a careful orchestration of data analytics and knowledge of the patient’s history. For example, the pathologists that identify the cancer depend on complex laboratory equipment to examine the cancer cells’ genetic markers and the patient’s own chemistry to select the best course of treatment. Once a treatment has been selected, the pharmacist must mix expensive chemical compounds at exact temperature and humidity levels to ensure the chemotherapy drug will work. Once mixed, the chemotherapy treatment can begin using pumps that deliver the dosage at precise intervals, often remotely monitored. Other biomedical devices monitor the patient’s vital signs to alert the staff of any adverse reaction during and after treatment.

After treatment, a patient may go home to recover while being periodically monitored, perhaps remotely. Physicians can check recovery progress via fitness monitors built into watches, blood pressure cuffs, glucose monitors and even an artificial pancreas. Telemedicine can also help the physician directly interact with the patient while giving him or her more freedom.

This example demonstrates healthcare’s high reliance on IoT.

All the devices involved — microscopes, refrigerators storing chemicals, pharmacy-compounding equipment, infusion pumps and smart beds — are connected to the hospital’s network in a complex synthesis of information not possible a decade ago. The data shared between these devices traverse the same network, so that the treatment team can have a shared vision of events.

Aside from healthcare, IoT devices are also used to collect data, monitor systems and control the fabric that holds together the inner workings of many industries. Hospital pharmacies require the same level of controls as refineries, power generation facilities, and even lights-out warehouses — where sensors precisely assess processes and make adjustments in near real-time.

Unlike personal computers which have a useful life expectancy of four years, IoT devices generally have embedded software and are expected to be in service for 15 years of more. Many of these devices have been added to the primary corporate networks because of cost and the need to monitor systems across enterprises. However, these devices were not designed to address the cybersecurity risks present today — as little planning was given to routine patching.

Healthcare organizations have a need to protect their IoT from cyberattacks — especially because lives are on the line — but the practical solutions are hard to implement. There following are lessons learned that can be applied to all IoT, regardless of the domain.

  1. Identify all IoT devices on the network, regardless of the age of the device. It is impossible to protect something that doesn’t exist in any database.
  2. Document the data flows, with specific focus on what is needed and what does not add value. With this knowledge, it is possible to partition the network into defensible segments and firewall off unneeded traffic. Isolate those network segments from the Internet unless there is a valid justification for an external connection.
  3. Control the acquisition and implementation process. Smart coffee pots and refrigerators that communicate to your smartphone may have a use in a home environment, but can be open covert channels for attackers inside of a controlled environment.
  4. Perform a vulnerability assessment on every connected device so that risks are documented and managed. Every risk should have a risk owner that has been assigned responsibility to mitigate that risk. These risks should be reviewed quarterly, and any schedule slips should be escalated to executive management.
  5. Review the newly released draft NIST Interagency Report 8200 on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) to better understand the complexity of the problem.
  6. Perhaps first on the “to do” list, establish a multi-functional governance structure that can identify all the key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

Securing IoT devices is a formidable yet crucial task considering the growing reliance on connected devices, paired with the rising number of cyberattacks on vulnerable devices. None of the efficiencies or conveniences in the above examples can exist without IoT, but IoT can only work if it is secure.

Subscribe to Security Magazine

Clyde Hewitt, Vice President of Security Strategy, CynergisTek

Related Articles

Healthcare Security Professionals Have Reduced Confidence in Assessing IT Risks

IoT: A Hacker’s Wonderland in the Enterprise

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

cybersecurity-blog

European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing