Key first steps for securing unruly connected devices

You can't secure a network that you don't understand. Mapping hospital IoT is a must-do process for the creation of an effective defense strategy, experts say.
By Benjamin Harris
12:19 PM

Every time a new piece of communications technology becomes a standard fixture in the healthcare industry it brings with it a new host of security and use concerns.

Fax machines and insecure emails, for example, make for porous networks with unsafe connections. But the number of those connections has quickly become dwarfed by the thousands of Internet of Things connections a single hospital might produce.

This swarm of smart medical devices – each of which needs to maintain its own connection to a network – adds a huge new level of complexity to the task of managing privacy and security.

"The main trend of major concern is the explosion of connected devices we're seeing in the healthcare domain," says Jonathan Langer, CEO of medical device security vendor Medigate. He adds that hospitals should take notice of "the sheer quantity (of IoT devices connected) and also the risk."

Reliability can come at security's expense

One reason many of these connected devices are so vulnerable is because of their importance. Langer says that these "high criticality devices" are complex and their reliability is vital, such that manufacturers are hesitant to slap a patch on an issue for fear of interrupting the reliability of the device.

"You don't want to harm the performance of the device," Langer acknowledges. Because of that, however, he says "a medical device can go unpatched for a pretty lengthy period of time."

Because of this and other reasons, many connected devices can be running unpatched legacy software – each one a potential target for attack or exploitation.

"The reality be may even more grim than you would expect," says Langer. "Since we don't have good visibility into (a hospital's) connected devices, we don't know what's really vulnerable."

To protect your network, understand it

The IoT is "very different from PC's or smartphones," Langer says, when it comes to network usage and policies. Devices have different usage patterns and behaviors when they're part of the IoT, and operate as a structure unto themselves.

Because of this, while Langer recommends aggressive patching and maintenance of a network, he says that "at the end of the day everyone has to reach the realization that that alone is not going to solve the issue." He says hospitals need to map out their IoT architecture to "know what you're up against."

Langer says that awareness of IoT's vulnerabilities across the industry is "generally high," and that as hospitals gain awareness they are taking the next critical step of addressing IoT security in a dedicated way.

"Having a good visibility of your IoT network, mapping out the devices and understanding the risks and responding accordingly," are where hospitals need to be once they know about the kinds of security challenges IoT can present.

The road ahead

While the sorts of risks the IoT brings with it are wide-ranging and any implementation demands a rigorous security assessment, the first step organizations need to take is to understand what their IoT looks like and how it operates in their network.

Being familiar with the traffic it generates, its size, where it is deployed and who gets its data and how all empower hospitals to take the next step in making their IoT more secure against attack.

Benjamin Harris is a Maine-based freelance writer and and former new media producer for HIMSS Media.
Twitter: @BenzoHarris.