Exploring the Wide-Ranging IoT Risks in Healthcare

While impacts may vary, risk mitigation strategies work in all domains.

In today’s world, the Internet of Things (IoT) is ubiquitous and holds great potential, but also brings security concerns. While IoT devices are being used across industries, the healthcare industry’s experiences with insecure devices provide valuable lessons to heed.

Recent advances in cancer treatment are due in large part to providers using very advanced chemotherapy that targets specific types of cancer cells. Determining the right compound, dosage, and infusion schedule requires a careful orchestration of data analytics and knowledge of the patient’s history. For example, the pathologists that identify the cancer depend on complex laboratory equipment to examine the cancer cells’ genetic markers and the patient’s own chemistry to select the best course of treatment. Once a treatment has been selected, the pharmacist must mix expensive chemical compounds at exact temperature and humidity levels to ensure the chemotherapy drug will work. Once mixed, the chemotherapy treatment can begin using pumps that deliver the dosage at precise intervals, often remotely monitored. Other biomedical devices monitor the patient’s vital signs to alert the staff of any adverse reaction during and after treatment.

After treatment, a patient may go home to recover while being periodically monitored, perhaps remotely. Physicians can check recovery progress via fitness monitors built into watches, blood pressure cuffs, glucose monitors and even an artificial pancreas. Telemedicine can also help the physician directly interact with the patient while giving him or her more freedom.

This example demonstrates healthcare’s high reliance on IoT.

All the devices involved — microscopes, refrigerators storing chemicals, pharmacy-compounding equipment, infusion pumps and smart beds — are connected to the hospital’s network in a complex synthesis of information not possible a decade ago. The data shared between these devices traverse the same network, so that the treatment team can have a shared vision of events.

Aside from healthcare, IoT devices are also used to collect data, monitor systems and control the fabric that holds together the inner workings of many industries. Hospital pharmacies require the same level of controls as refineries, power generation facilities, and even lights-out warehouses — where sensors precisely assess processes and make adjustments in near real-time.

Unlike personal computers which have a useful life expectancy of four years, IoT devices generally have embedded software and are expected to be in service for 15 years of more. Many of these devices have been added to the primary corporate networks because of cost and the need to monitor systems across enterprises. However, these devices were not designed to address the cybersecurity risks present today — as little planning was given to routine patching.

Healthcare organizations have a need to protect their IoT from cyberattacks — especially because lives are on the line — but the practical solutions are hard to implement. There following are lessons learned that can be applied to all IoT, regardless of the domain.

Identify all IoT devices on the network, regardless of the age of the device. It is impossible to protect something that doesn’t exist in any database.
Document the data flows, with specific focus on what is needed and what does not add value. With this knowledge, it is possible to partition the network into defensible segments and firewall off unneeded traffic. Isolate those network segments from the Internet unless there is a valid justification for an external connection.
Control the acquisition and implementation process. Smart coffee pots and refrigerators that communicate to your smartphone may have a use in a home environment, but can be open covert channels for attackers inside of a controlled environment.
Perform a vulnerability assessment on every connected device so that risks are documented and managed. Every risk should have a risk owner that has been assigned responsibility to mitigate that risk. These risks should be reviewed quarterly, and any schedule slips should be escalated to executive management.
Review the newly released draft NIST Interagency Report 8200 on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) to better understand the complexity of the problem.
Perhaps first on the “to do” list, establish a multi-functional governance structure that can identify all the key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

Securing IoT devices is a formidable yet crucial task considering the growing reliance on connected devices, paired with the rising number of cyberattacks on vulnerable devices. None of the efficiencies or conveniences in the above examples can exist without IoT, but IoT can only work if it is secure.

Clyde Hewitt, Vice President of Security Strategy, CynergisTek

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?