Those of us in cybersecurity by now are aware that October is National Cybersecurity Awareness Month (NCSAM), the annual campaign in the US to raise awareness about cybersecurity. Such a serious topic that it get a whole month, with each month dedicated to a particular theme. The theme for week 3 (October 19) is “Securing Internet-Connected Devices in Healthcare.” A very specific, but nonetheless, very serious topic I wanted to address today.
What’s the benefit of Internet-Connected Devices in Healthcare?
Imagine a world where a patient’s fitness routine and daily habits are seamlessly transferred to their healthcare provider prior to an appointment. That data would then be combined with historical data, information collected during medical exams, hospital visits, blood test results, etc. in near-real time to provide an accurate diagnosis of the patient’s current health and flag anything requiring further analysis. Or imagine a code blue alert due to low blood pressure versus a cardiac arrest, the valuable minutes that would normally be lost during triage can be dedicated to stabilizing the patient. These are a few examples of why internet-connected devices, sometimes referred to as Internet of Things (IoT) devices, are invaluable to the healthcare industry. Increased efficiency and accuracy can be delivered through technology like real-time monitoring, smart pills, smart home care, or robotics additional uses. The IoT healthcare market is expected to grow to $188.2 billion by 2025, which represents hundreds of millions to billions of devices that will communicate with one another (including life support systems), big data analytics platforms and the cloud.
What’s the Risk?
The era of Internet of Medical Things (IoMT) is only beginning and with the novel coronavirus pandemic on the verge of a second wave, reliance on such devices will increase. Unfortunately, such an expansive landscape of insecure internet-connected systems collecting sensitive personal information along with access to internal networks is a target for hackers. Since May of this year, cybercrime in the healthcare sector has increased 300% from the previous year. The purpose of these attacks is to steal personal health information, COVID-19 vaccine research and development, to move laterally within the network, and gain further data and access. The below list provides an overview of some of the key risks in IoMT:
- Legacy firmware and operating systems – Availability is a priority within the IoMT space, leaving minimal time to upgrade firmware and operating systems. Beyond just availability, updates are not considered a critical requirement by OEMs.
- Insecure applications running on IoMT sensors – Though OEMs may follow Agile or DevOps methodologies, security isn’t included in the process resulting in vulnerable code running on medical devices.
- Provides access to internal network/systems – IoMT devices are connected to internal networks resulting in areas of weakness that will allow for threats to bypass healthcare network security controls.
- Collecting sensitive health data – Insecure IoMT devices may collect or process personal health information that could be used for blackmail or sold on the black market. With Healthcare having the highest cost of any industry ($7.13 million), there is a significant risk if a breach were to occur.
How can IoMT be secured?
In order to address these risks, it helps to bring healthcare practitioners and cybersecurity experts together to understand the issues that they are facing and agree to what is needed. In the past, cybersecurity professionals have focused on Confidentiality, Integrity, and then Availability, the core information security principles according to ISC2. When it comes to IoT, it is about Availability, and also the integrity of the data, which is crucial. If we do not look at all the devices from an Enterprise Architecture point of view, we will be myopic in our focus. When analyzing the environment, it is important to not only know what device is on the network, but the configuration of the device and the data it is sending. This will be key in protecting the assets and help in tracing the data of information.
- Network segmentation – apply network segmentation to prevent insecure IoMT devices from providing an access point to the network
- Secure the supply chain – Require OEMs to provide evidence that they are following best practices for DevSecOps and addressing critical and high vulnerabilities at a minimum.
- Behavioral analytics – Implement technologies to monitor for sensors functioning abnormally based on their individual expected activities.
- Implement access controls – Limit access based on function of the sensors, granular level of access to the network/systems will reduce the risk of a network breach.
- Data security – Sensitive health data should be encrypted as close to the collection point as possible and throughout its lifecycle in a format that allows for downstream systems to perform necessary analysis while reducing the risk of the data being compromised.
This is a high-level summary of how to protect and secure IoMT sensor as well as the associated healthcare systems and networks. With the current pandemic and the associated reliance on the healthcare system, it is very important to protect and monitor for risks in this environment. Micro Focus provides security solutions and services direct and through our partners to ensure that healthcare organizations are resilient in the face of digital adversity. Our security offerings span DevSecOps, behavioral and security analytics, identity and access controls and data security to focus on what matters most. Let us help you intelligently adapt your security and strengthen your cyber resilience. Protect. Detect. Evolve.
Guest post by Neil Correa, Micro Focus Cyber Strategist
Strengthen your cyber resilience. Protect across your identities, applications and data. Learn more about cyber resilience. Have technical questions about Data Security and Encryption? Visit the Data Security User Discussion Forum. Keep up with the latest Tips & Info about Data Security and Encryption. We’d love to hear your thoughts on this blog. Comment below.