IoT risk assessment means all hands on deck
When it comes to information security, healthcare faces some foundational challenges that other industries don't. Not least the fact that it is "not a digital-native industry," said Stacie Hoffmann, digital policy and cybersecurity consultant at Oxford Information Labs.
It's not only that huge swathes of healthcare were primarily paper-based less than 10 years ago. Over the past decade as hospitals have adopted electronic health records and other IT, many are now also managing an ever-expanding universe of vulnerable connected devices.
And it's not just medical devices that could leave a network open to exploitation, said Hoffmann, one of the lead authors of a new whitepaper about architecture security from the IoT Security Foundation.
"HVAC systems or coffee systems, even those can have IoT capabilities," she said.
Bringing together all parties in a device’s acquisition and use is critical, said Hoffman. A procurement officer needs to know how important it is that a connected device’s communications be encrypted, and a product vendor needs to be clear about how they will handle and protect data that is in many cases considered to be the property of the patient, not the company.
The new report's findings look at how devices on the IoT operate within healthcare environments and how to develop a plan to map and secure those devices.
Recognize stakeholders to protect data
"Data integrity is very important," Hoffman said. "If we’re relying on automated system on when to administer medicine, we need to be confident in that system."
Who gets access to that data raises other questions. "How is that data collected and retained?" asks Hoffman. Healthcare systems as well as the IoT industry need to have a conversation about where healthcare data collected on IoT devices goes and who has access to it.
"Sharing when appropriate is critical, so it’s thinking about the risks that are associated with these new models," she said.
Develop partnerships and take action
There are plenty of technical fixes ready for IoT security. For instance, Hoffman recommends measures such as setting up local networks and keeping devices that don’t need to connect to the wider internet constrained to keep data within local networks.
Beyond that, she said shutting down unnecessary ports and turning off gratuitous (and potentially buggy) software is a crucial way to "minimize attack surfaces."
The IoT landscape involves a "lot of different stakeholders that need to coordinate," said Hoffman. This ranges from IT professionals to vendors downstream in the supply chain and even to patients.
She said one first step is for a hospital and a vendor to sign a vulnerability disclosure agreement so that there is a "feedback loop of information" enabling weaknesses to be spotted and patches applied in a timely fashion.
Ultimately before all of that, however, a hospital must consider how the IoT fits into its wider network. Hoffman said that performing a risk assessment before implementing any devices, to "understand the network and how (IoT) devices are connected." With a lot of "process and due diligence," hospitals can overcome these challenges.
A newly connected world
Data sharing promises to evolve constantly, presenting new use cases that need to be addressed. And as many of the devices in a hospital that are connected to the IoT are extremely mission- or even safety-critical, organizations need to proceed carefully.
Everyone from the procurement officer to the vendor to the physician needs to be attuned to the risks and challenges the IoT invites into a clinical environment.
As great as it is to enable patients to receive care in their homes instead of a hospital environment, it is important to assess the new kinds of attacks and breaches those additional connections present.
Benjamin Harris is a Maine-based freelance writer and and former new media producer for HIMSS Media.