IoT technology is having a profound impact on the healthcare industry, bringing the potential to deliver better patient care, improve operational efficiency, and drive down costs for healthcare organizations. Healthcare organizations are adopting IoT devices at increasing rates to improve the quality of life for patients – and potentially save lives. In fact, Gartner research predicts IoT in healthcare will grow by 29 percent by the end of 2020. This includes all the IoT medical devices, like connected infusion pumps, skin patches, mobile X-ray machines, and patient telemetry monitors, that hospitals utilize to help advance healthcare delivery.
But with this growth comes risk – introducing new, often unsecured patient-facing IoT technology into already complex, legacy healthcare environments expands the attack surface and brings massive cybersecurity and patient safety concerns. COVID-19 further exacerbates these risks, as hospitals rush to deploy more connected devices, remote technology, and telehealth services to support patient surges. As a result, the demands on hospital IT staff are at an all-time high, opening the door for hackers to exploit critical vulnerabilities.
For healthcare organizations to reap the benefits of IoT while mitigating the risks, it will take a multi-layered security approach that includes stronger protocols, machine learning-driven security analytics, and device segmentation.
IoT security challenges start at the device level when the product is manufactured by medical technology companies. Manufacturers should create devices that are patched and equipped with the security capabilities to stand up in today’s complex healthcare environments. But in many cases, securing these devices is an afterthought for manufacturers. So once these unsecured IoT devices are placed into hospitals, the responsibility shifts to hospital IT staff.
The first step healthcare organizations should take to secure IoT medical devices is to follow the standard protocol for risk management, IEC 80001. Health IT staff can use it as a framework for managing connected devices to ensure they are safe, effective, and secure for patient use. Not only will the IEC 80001 protocol protect hospitals from a compliance standpoint, it will help with risk measurement and analysis of these connected devices.
Using the IEC 80001 framework as a guide, hospitals must then take concrete steps to mitigate security risks, which starts with the early detection of potential threats. To help pinpoint vulnerabilities, healthcare organizations should consider deploying machine learning-driven security analytics and behavioral monitoring technology.
ML-driven security analytics can help health IT staff make sense of vast amounts of data produced from the thousands of connected devices and proactively help find anomalies before they become major issues. This helps hospitals identify and respond to security breaches faster and more efficiently than humans and allows IT to focus on improving patient care rather than data analysis and chasing false positives.
Similarly, behavior-based monitoring helps health IT staff see how similar infusion pumps or scanning machines are operating on the network. By understanding “normal” behaviors of these connected devices, health teams can better recognize “anomalous” behaviors – enabling them to act quickly at first sight of any potential security threats.
These analytical tools give healthcare organizations clear visibility into where devices are located on the network, how they are behaving, and what actions should be taken.
Additionally, healthcare organizations can strengthen security by segmenting IoT medical devices. According to research by Gartner, only 5 percent of IoT devices deployed today are virtually segmented; however, by 2021, 60 percent will be, indicating this will become a wider practice among healthcare organizations. Health IT staff can use hyper-segmentation to establish “borders” to compartmentalize critical connected devices and confidential data into secure network zones. This helps defend against unauthorized lateral movement and makes it easier to identify anomalies and isolate breaches.
Data can still be transferred but there will be less risk of attackers gaining access to the hospitals’ data and taking control of mission-critical medical devices. Grouping related devices together allows healthcare organizations to strategically place access points and then make decisions on who can access specific devices on the network.
With granular visibility of the networks’ connected devices and the use of segmentation, hospitals can bolster IoT security and safeguard against attacks.
IoT security now extends beyond the four walls of the hospital. COVID-19 is increasing the use of telehealth services, creating new challenges for at-home device security.
Remote healthcare enables patients to use IoT-connected blood pressure monitors, smart scales, and glucometers right from their homes. The data from these devices is transmitted directly to the hospital where doctors review and analyze the patients’ information in real-time. There are even connected wearable medical devices that alert hospital staff in emergencies when a patients’ health is in danger.
At-home connected medical devices often lack basic security features and virus protection to help safeguard against attacks. And because these IoT medical devices run on a patient’s at-home Wi-Fi network (which are not typically as secure as major hospital or enterprise networks), they are more suspect to hackers.
Healthcare organizations must follow IEC 80001 protocol, ensure that only hospital personnel can make security changes to the devices, and arm patients with the appropriate tools to safeguard both their Wi-Fi network and the devices.
Despite the security challenges associated with IoT technology, it has the potential to transform the patient experience and revolutionize tomorrow’s smart hospitals. Healthcare organizations must take a multi-layered approach to mitigate security risks using IEC 80001 as a framework. Knowledgeable IT staff, full network visibility, along with behavior analysis, ML/AI, and analytical tools, will provide a better pathway to ensure strong IoT security across all connected devices.
Not only will stronger security measures result in cost savings for hospitals long term – fewer data breaches mean less repair of damages – but most importantly, it will mitigate the life-threatening implications of insecure IoT technology. Patients' lives depend on secure connected devices, so healthcare organizations must act.
This article was originally published to Health IT Outcomes on June 15, 2020.