Risk Management, Governance Drive Healthcare IoT Security

As the needs for increased communication and mobility continue to rise in the healthcare field, Internet of Things connected devices are entering healthcare organizations to ferry providers into the 21st century. But with these new technologies come new risks.

A recent survey from Verizon found that 73 percent of corporate executives are deploying or at least researching IoT devices — and dealing with the challenges of keeping these devices secure as threats evolve and escalate.

Healthcare is no exception. Shenny Sheth, information security manager at Texas Children’s Hospital, notes that the facility uses more than 36,000 IoT devices to provide and support care, with nearly 6,000 connected to the network.

Conducting this inventory has been a priority for Sheth since joining Texas Children’s more than two years ago. He says it helped the Houston-based hospital effectively respond to the WannaCry ransomware and WPA2 protocol hacks earlier this year.

“We convened cyber command immediately” after news of WannaCry broke, focusing specifically on connected devices, Sheth says. “We found some areas where we had to patch devices, and bring them into a preventive maintenance cycle.”

Medical IoT Opens the Door to New Security Risks

Threats, such as ransomware that attacks unpatched systems or Wi-Fi hacking, show that the primary driver of security risks has changed, says Axel Wirth, healthcare solutions architect at Symantec.

Traditionally, the risk was data that could be stolen, corrupted or ransomed. While that remains important, he says, today’s environment now presents physical risks that could harm patients. One example is a hacked hospital refrigerator, which can no longer provide chilled medication or food.

“[Health IT teams and executives] really need to start thinking about the possibility of patient risk that could harm, but also impact operations and revenue,” Wirth said.

This is challenging for healthcare organizations, Wirth added, because more traditional risks have been linear. The battery life of a pacemaker is predictable, making it possible to estimate how many patients will be affected in five years’ time, but cyberthreats are ever-changing.

“In cybersecurity, what I estimate today is totally different tomorrow. I have to continually assess whether my estimate from yesterday is valid today,” Wirth says. “We’re entering a phase where we need to learn decisions where we don’t have a reference framework.”

How Providers Address IoT Security Risks

In many cases, security leaders use the same strategies that predate the proliferation of IoT devices, but implement them in new ways. Asset management is one example, said Dan C. Costantino, chief information security officer at Penn Medicine. This has always been a matter of knowing where the devices are located, but now it’s also knowing what they’re doing on the network.

“You can’t protect what you don’t know about,” Costantino says.

Sheth says Texas Children’s takes the extra step of examining the risk of a device’s specific implementation within a facility. Does the infusion pump used in inpatient care need the same level of protection as the same make and model of infusion pump in the intensive care unit (ICU)?

“Where in the risk delta do we mitigate threats and counteract risks?” Sheth said.

Other common security strategies — device identification, access controls, password management, regular patch updates — still apply to IoT devices. Education efforts also help; Wirth noted that end users may view a device that’s taking too long to download an image as a mere nuisance, but IT staff would see that as an issue to troubleshoot, or even a sign of an infected machine.

Basic controls will help, but the serious nature of today’s threats — WannaCry shut down several hospitals in the United Kingdom — has elevated security risks to the level of business risks.

Costantino and Sheth have both formed governance committees that bring together department leaders, security professionals and a biomedical engineering team to better understand how clinical staff use IoT devices and what risks these use cases may present.

“This is a business issue, at its core, and is not limited to IT in any way,” Costantino said. “Do not delay getting in front of the risks that IoT devices pose to a healthcare system. The more it’s delayed, the harder it becomes.”