The Internet of Healthcare Things (IoHT) holds huge potential to improve patient care. And healthcare organizations are beginning to catch on, with a recent report published by Aruba Networks revealing that six in 10 healthcare organizations use IoT, most commonly for patient monitors and imaging devices.
But many healthcare IT professionals are wary of the security threats IoT may introduce.
While IoT has barely emerged from the starting gate, there have already been several headline-grabbing security failures. “Highly publicized IoT security breaches have made IoT security top of mind,” says Mike Tennefoss, vice president of strategic partnerships for Aruba Networks, a Hewlett Packard Enterprise company.
Best Practices for Strong IoT Security
While IoT poses security challenges on a nearly unprecedented scale, the good news is that existing best practices can often be used to address key IoT security risks.
“All of the security controls and techniques that we have known about and worked with for years can absolutely be applied to the IoT space,” says Christos K. Dimitriadis, board of directors chair for ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.
Complicating IoT security is the fact that many network sensors and related devices are small and inexpensive, have only limited memory/compute resources and often aren’t designed with security in mind.
“One of the weak points that we see is that IoT vendors and the ‘things’ themselves aren’t as mature from a security and a posture perspective as they need to be,” says Anthony Grieco, senior director of Cisco Systems’ security and trust organization. He notes that most IoT developers aren’t seasoned IT technology vendors and do not necessarily think about security holistically. “As such, they don’t consider building it into everything that they’re developing and, as a result, we tend to see less mature practices when it comes to the basics of security,” he notes.
IoT adopters can help ensure better security by taking matters into their own hands. “Existing best practices, such as network segmentation, will help take some of the security load off of these devices,” says Mark Blackmer, product marketing manager, industry solutions, for Cisco Systems’ security business group.
“External mechanisms, such as machine learning-based traffic analytics, can help close the [security] gap,” Tennefoss adds.
Employing IoHT Means Managing a Huge Network Ecosystem
Most IoT devices are designed to function autonomously without backup connectivity. Secure and reliable remote management is essential to ensure faultless operation. “Strong encryption, robust authentication, compartmentalized access and other IT practices commonly used to remotely manage computer networks should also be applied to remotely managing IoT networks,” Tennefoss says.
Dimitriadis notes that there’s no fundamental difference between the techniques used to remotely manage IoT devices versus any other type of network device.
“Essentially, it consists of understanding the usage parameters and the expectations for how the device will be used, applying the appropriate set of security controls and ensuring that those controls and countermeasures continue to function appropriately,” he says.
Unlike even the most widely distributed conventional networks, IoT networks present adopters with the unique challenge of managing ecosystems containing millions or even billions of devices. “Scale is the biggest challenge we’ll face in securing IoT, and it’s going to require the security community to think differently,” Blackmer says. “This means more identity- and policy-based security, virtualization and the adaptability that brings, and using the network itself to detect and remediate malicious traffic and attacks.”
Perhaps the trickiest thing about remotely managing high-scale IoT environments is planning how each device gets online and how IT teams will be able to quickly and accurately identify all of the networked devices.
“Remote management is only useful if you have appropriately brought the device online in a highly scalable and secure way, with the appropriate identities associated with it,” Grieco says.
Implementing a management tool that lets IT teams know where each device exists, and can be uniquely and securely identified for reliable performance, is essential for successful IoT network operation. Yet achieving this goal isn’t always easy. Teams may lack the skill sets necessary to identify system vulnerabilities, Tennefoss warns. “Weak points may include the lack of physical security for device electronics and interfaces, inadequate security for legacy IoT devices, use of default passwords, failure to validate the trustworthiness of newly connecting devices, using a BIOS from outside the U.S. and poor encryption key and certificate management,” he says.
“Once you have this solid security foundation for remote management, the traditional systems that are used for remote management are going to have to be adjusted to focus on efficiency [and] for the necessary scale of secure management,” Grieco says.
The most useful strategy for managing complex IoT networks, according to Dimitriadis, is to draw from principles that have been honed and tested over many years. “The science of ensuring that devices, systems and applications work together in alignment with business objectives is already a well-established discipline, and leveraging those concepts [in IoT management] can be fruitful.”
Learn More about CDW’s security solutions and services.