Nov 26 2019

Medical IoT Devices Are Vulnerable to Attack: Are Yours Protected?

An increase of connected medical devices on healthcare networks is making it difficult for IT staff to take a unified approach to endpoint management.

There’s no question that Internet of Things technologies are a worthy investment for hospitals. In fact, nearly all healthcare organizations use them in some form — and their intuitive tracking and time-saving abilities can save lives and money.

But federal approval of these devices doesn’t necessarily mean they’re protected from harm. In October, the Food and Drug Administration released a statement warning patients and providers about some of the cybersecurity vulnerabilities associated with these devices.

Wireless tools such as insulin pumps, pacemakers and heart monitors have been found to be far more susceptible to hacking than laptops or phones because they don’t have the same built-in risk prevention tools — and legacy network monitoring systems aren’t always able to track their behaviors easily

It’s imperative, then, for healthcare organizations to embrace a defense strategy for all devices. Reliable security practices such as regular patching and detailed inventory-keeping can help your organization reduce the likelihood of a cyber event without compromising the unique abilities medical IoT technologies offer.

Adopt Inventory-Keeping to Better Manage Your Network’s Security

Traditional endpoints such as tablets, desktops and laptops require constant surveillance on an organization’s network; however, strong security practices and existing technology make the task quite manageable.

Yet when it comes to medical IoT devices — which continue to be added to networks at increasing speed — visibility remains a top obstacle. As these and other consumer-based devices find their way onto healthcare networks, older devices either remain in play or simply find the back of a storage cabinet somewhere, only to be rediscovered later. 

For this reason, strong network monitoring practices are key to addressing this security gap.

“You need governance behind anything that’s going to have an IP address,” Charles Christian, CTO for Franciscan Health, recently said at the CHIME19 Fall CIO Forum in Phoenix. “Know where a device is, its associated uses, its operating system, and whether can it be patched. It’s not easy but it is doable.”

This is one reason why organizations are starting to deploy cognitive apps like IBM QRadar Advisor with Watson. These applications use cognitive analytics to help security analysts quickly identify and respond to threats by providing a look into all the devices and applications on the network.

Although endpoint visibility can offer an organization valuable insight into the devices on a network, this approach is just the initial step in a wider cybersecurity plan.

INSIDER EXCLUSIVE: Watch a CDW Bring IT On session to learn about the value of a cybersecurity assessment.

Enhance Security through Successful Endpoint Management Solutions

IT teams ought to embrace a multifaceted approach to endpoint management. Network segmentation is one security practice that can help organizations get the most out of their endpoint visibility, thus advancing the security of their overall network.

One strong example of an organization successfully doing so: the Medical University of South Carolina.

Visibility into each segment of MUSC’s network has provided a strong foundation as the organization’s IT staff test new segmentation efforts to avoid future data breaches. 

The goal is to provide appropriate levels of security in accordance with posed threats or anticipated risks, and to limit exposure from a negative event,” Sanjeev Sah, the university’s CISO, told HealthTech. “We need to make sure that if the device has a negative cyber event that it doesn’t propagate to different parts of the network and it doesn’t cause severe outages or impact other assets that are performing very important functions.” 

Boston Medical Center is another organization that deployed multilayered endpoint management solutions to its security practice. By installing McAfee’s Endpoint Security agent across client devices, the medical center has taken a diligent approach to prevent viruses and malware associated with their connected devices. 

It has also introduced products from Cisco and VMware to better monitor and filter endpoint internet requests as well as to streamline mobile device management.

As you consider your organization’s own approach, don’t lose sight of how security practices will affect end users. These people are, after all, the key to successful adoption. Remember, these precautions comprise just one part of a strong cybersecurity strategy. The work is never done.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.


MF3d/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT