Hospitals, don't wait to address these little-known IoT security issues
When it comes to securing the Internet of Things in healthcare, there are many issues that are known obstacles. And then there are those that are not as well-understood. Unfortunately, these issues pose security threats and need to be considered by infosec teams.
“Many CIOs and CISOs at healthcare organizations are becoming familiar with cybersecurity issues associated with the IoT. We’ve all seen news about medi-jacks and ransomware,” said Sara Jost, global healthcare lead at cybersecurity firm BlackBerry. “The issue now has to do more with different obstacles that are preventing CIOs and CISOs from actually addressing the problems, so they have these looming fears but are unable to fix them.”
There are different factors at play. First, the equipment itself is unfixable, Jost said. Today’s medical devices tend to be older because of the cost and time involved in upgrading. Some of this equipment cannot be patched and will have known and published security flaws.
“Next, the CIO or CISO may not have the budget or policies to replace the unfixable items or even have a process that would embed cybersecurity issues into the device procurement RFPs,” she said. “There is also the issue that their own staff may be unable to employ best practices that can safeguard the organization from all the new cybersecurity issues that are coming to light.”
And when it comes to updating the technology, there is also the challenge of choosing the right platform. Today, every tech vendor wants to become the de facto platform to which all other devices adhere.
“The larger ecosystems say they are ‘open’ standards, so everything can be interoperable, but there are also smaller ecosystem players that may not adhere to the same specs,” Jost said. “C-level executives are worried about hanging their hat – and future technology plan – on a platform that doesn’t win. Think of the Beta versus VHS battle.”
Another serious issue is lifecycle management.
“Devices are purchased with the expectation they will last for years. However, as threats evolve, there is not always a vendor expectation to maintain these devices and provide patches,” said Ryan Spanier, director of research at Kudelski Security. “To complicate matters, many of these devices cannot be taken down for regular maintenance.”
And device keeping a patient alive, for instance, won’t be taken offline just to apply the latest security patch, even if there is a known vulnerability being exploited. So what approach does a healthcare organization take to reduce the impact of a cybersecurity attack?
“First, you need to ensure your vendors are willing to support the devices for the planned lifetime of the system,” Spanier said. “Also, you need to have contingency plans in place if a device is vulnerable to an attack but cannot be patched. You may need to take devices off of the network until they can be patched, or provide specific network-based controls to protect the systems until they can be patched, such as closing a vulnerable port.”
In addition, some devices leave the healthcare facility – attached to a patient, for instance – and only occasionally return for check-ups. Hospitals need a plan in place for updating these devices even when they are not connected to your network.
Jost of BlackBerry offers a few suggestions to healthcare providers for overcoming difficult healthcare IoT cybersecurity challenges.
“Make it easy for employees to use secure IT,” she advised. “Employees need easy and secure solutions that enable better workflows. And make sure that healthcare organizations create cybersecurity policies and adhere to them, including lots of education to anyone to whom they apply.”
Hospitals must budget the correct amount of money to IT to address these challenges -- and that’s particularly true in today’s climate where many infosec teams are being asked to do more with less.
“Ensure staff have the knowledge they need to do what is required. Sometimes this means paying professional services to provide proper training and create super-users within the organization,” Jost added. “And have a cybersecurity assessment done. Know where all your weaknesses are.”
Understanding your vulnerabilities and being able to explain those in words the C-Suite can understand could go a long way in getting the budget you need to protect against these lesser-known threats.