While there are many avenues cybercriminals can take to get into private networks, lax security is making Internet of Things devices ripe targets. But there are steps that healthcare information security teams can take today to protect IoT devices and prevent hackers from gaining access.
First, healthcare information security teams should ensure their networks are segmented, said Ofer Amitai, CEO of Portnox, a cybersecurity firm whose specialties include securing IoT and BYOD devices.
“IoT devices are vulnerable by nature and can grant hackers access to the rest of the network, accessing and stealing patient data or hijacking a device and causing malicious behavior, including malfunctions or incorrect readings,” Amitai said. “Network segmentation should be implemented to make sure these IoT and medical devices are not members of the same network as PCs, laptops and databases.”
If a hacker gains access through a medical IoT device that is not segmented, he can reach massive amounts of data, everything from health records to employee information and more. So infosec teams should make sure to create a boundary between IoT devices and confidential data to protect patient records, patient safety, personal employee information and more, Amitai said.
Second, healthcare executives really need to think beyond network security, said Rusty Carter, vice president of product management at cybersecurity firm Arxan Technologies.
“What many people don’t understand about embedded medical devices like smart IV pumps, pacemakers and MRI/CT scanners, is that it’s the software application binary code running on the medical device that’s the most vulnerable to theft or tampering, not the actual device,” Carter said. “Instead of just focusing on securing the end-point, focus must be put on securing the applications on those devices, because that’s where attackers will focus their attention.”
This includes adopting static and runtime protection measures to block unauthorized access, preventing the copying or tampering of applications and stopping the insertion of malicious code into the core applications that run the devices, Carter said. By building security into the application, it is protected from attack or theft no matter where it resides, be it a desktop, mobile phone or CT scanner.
Third, hospitals must implement authorization protocols, Amitai advised.
“While network segmentation is one step to preventing access to the network through IoT and medical devices, authorization can help reduce the likelihood of a device being hacked in the first place,” Amitai said. “IT staff should change the default credentials and the technician default codes of these devices upon installation to reduce threats dramatically.”
Another challenge occurs with preventing access to medical devices, not just through the device interface, but through the network. Hospital IT staff, Amitai advised, should restrict who internally can connect to the network, and to medical devices through the network.
Fourth, healthcare CIOs and CISOs should always be assessing their risk and improving, Carter said.
“One challenge with medical devices is that they can’t be taken offline for software updates or scanning without impacting patient care, which is why security must be un-intrusive and ongoing, just as much as it is reactive to specific vulnerabilities or cyberthreats,” Carter said. “Doing continuous comprehensive risk assessments will let you not only benchmark your security, but also understand the apps running on your devices and network, and where there are weak spots to prevent future compromise.”
In healthcare, this is crucial because human lives and their personal information are at stake. Understanding and adapting to risks as they change better allows an organization to create a layered security program that minimizes threats to patient health and safety and also ensures the privacy and confidentiality of sensitive information shared via IoT medical devices, Carter said.
And fifth, healthcare organizations need to carefully monitor device behavior, Amitai cautioned.
“Both network segmentation and authorization are precautionary tactics, reducing risk for attacks, but IT staff should be constantly monitoring device activity in case a breach does occur,” Amitai explained. “Monitor IoT devices for behavior changes and create a baseline of normal behavior.”
For instance, Amitai suggested, if a medical device suddenly has a new web server or an unusual amount of traffic, IT staff should react immediately and respond, typically by disconnecting from the network until further investigation.