Collaborating to Protect Healthcare Networks from IoMT Risks
“Technology is great. It’s about 10 percent of the problem. The biggest risk in any security scenario are your own users,” Chaudry said. He emphasized that organizations must educate clinicians, researchers and other healthcare staff on the risks that IoMT devices pose in healthcare IT environments.
According to Chaudry, some clinicians will discover and start using devices without considering the security implementations. Many even connect devices to the guest wi-fi, which has a minimal amount of protection.
To combat this issue, Seattle Children’s encourages staffers to reach out if they’re using a device that could pose a risk to the organization. They can do so without consequence, an approach Chaudry said has worked well.
“No one in healthcare wants to cause harm. They just want to be able to do their work,” he added.
The health system also has an architectural review board composed of engineers who review proposed devices and conduct a risk assessment to determine whether they need to be connected to the network, whether they need software updates or other tools, and the extent to which they must be monitored. Once they go through a security and technical review, devices then go to the implementation team.
“This allows us to document what’s coming,” Chaudry said. When clinicians tell the IT team what they need, IT can put the necessary guardrails around devices.
It’s also important that healthcare organizations have visibility into the devices on their networks. Seattle Children’s uses Ordr for this purpose. Chaudry noted that an IT team can’t make decisions without knowing what’s happening on the network.
Authentication is another obstacle to healthcare cybersecurity efforts. Many healthcare organizations are using identity strategies to protect their environments, including two-factor authentication. However, Chaudry pointed, people are still writing their passwords on sticky notes and attaching them to devices.
“We need to figure out how we can layer through these services,” Chaudry said. He noted that some vendors in the security space will tell health IT teams that they need specific tools. He emphasized that IT leaders must consider not only the tools but the people they will be dealing with.
Not every health system has resources, and some may require assistance from the vendor during implementation.
“It’s not as easy as turning on software and the magic happens,” he said.