Experts back Senate IoT security legislation
The security of the Internet of Things is a key concern today. But in healthcare, IoT security literally can be a matter of life or death.
Healthcare could be on the brink of massive security standard changes when it comes to the IoT. For example, a new U.S. Senate bill – The Internet of Things Cybersecurity Improvement Act of 2017 – would require IoT devices sold by vendors to the federal government to meet minimum security standards. This includes sales to Defense Department and Veterans Affairs healthcare facilities, which would filter out to the rest of the healthcare industry as a result.
This legislation targets the low-hanging fruit of healthcare device cybersecurity, said Josh Jabs, vice president of public key infrastructure and IoT solutions at Entrust Datacard, a security technology company.
“It requires vendors of Internet-connected healthcare devices to have a higher minimum standard of security,” Jabs said. “For healthcare provider organizations, they can expect their device vendors to supply equipment that can be patched. Healthcare devices have a lifecycle that may include the need to modify the original firmware that controls the device, especially if security issues are found after design and manufacture.”
Additionally, the legislation requires vendors to provide devices configured so that their single-factor authentication credential, the username and password, can be changed, rather than being hard-coded. The Mirai botnet, for example, was an example of an attack against default and unchangeable credentials.
The time is ripe for IoT security legislation. Healthcare providers in the U.S. have very little guidance on how to protect IoT/medical devices within their infrastructures today.
Aside from some guidance from the FDA and PII-centric HIPAA requirements, there are no federal requirements in terms of how to protect, detect and respond to security threats affecting IoT/medical devices that could lead to device manipulation, data exfiltration or, worse, direct patient harm, said Chris Sherman, a security and risk analyst at Forrester Research who specializes in the Internet of Things and medical device cybersecurity.
“Providers should prepare for legislation in this area,” Sherman said, “by formalizing their own medical device security policies, while demanding their device suppliers adhere to application security best practices and medical security certifications, as well as building out their own device monitoring capabilities.”
Jabs has suggestions for how provider organizations can better protect IoT/medical devices today.
“The WannaCry ransomware attack showed us that patching desktop systems is important for healthcare providers,” he said. “Providers also should take inventory of connected systems, which will help to identify risk beyond privacy measures specified by HIPAA. Even if the cybersecurity maturity of your healthcare organization is low, it is a good first step.”
And, he added, the Presidential Policy Directive 21 (PPD 21) has identified healthcare providers as critical infrastructure. Work is being done to help healthcare providers get the most out of the National Institute of Standards and Technology cybersecurity framework, he said, so that ultimately providers can understand how to measure and remedy risk.