A recent Department of Health and Human Service Cybersecurity Coordination analyst note urges healthcare entities to evaluate their current approach to securing Internet of Things (IoT) devices since DDoS and man-in-the-middle attacks have increased given that the rapid adoption of the devices.
In particular, provider organizations should avoid using universal plug-and-play technologies, which increase the equipment’s susceptibility to cyberattacks.
There are currently an estimated 7 billion devices connected through IoT across all sectors, with a projected increase to 20 billion more by 2025. All industries struggle with the elevated security concerns posed by the advanced tech, but the risk is particularly challenging for healthcare given the complexity of the ecosystem in combination with the sheer volume of devices.
In healthcare, medical IoT (MIoT) enables providers to remotely monitor patients with smart devices, as well as fitness trackers that support users with finding their blood pressure, heart rate and other physical activity metrics.
While healthcare stakeholders believe medical device security can’t be solved, there are ways for providers to determine what’s considered acceptable risk within their organization, and build in policies and procedures to support risk reduction.
Securing IoT devices for healthcare organizations
For HC3, the primary concern is that each added IoT device expands the attack surface, which “can be vulnerable if the network isn’t sectioned off into secure zones.” IoT security measures range from effective physical security and regular firmware updates — the latter is where most healthcare entities struggle.
Healthcare entities should be aware that all internet-connected devices tied into the enterprise network pose a risk, and “IoT is no exception.” Within the provider environment, a compromise could directly impact human life.
IoT risks could also impact patient data and privacy, increasing the need for an effective IoT security plan. HC3 notes that “ultimately, the goal is to protect the entire system.”
In short, “having IoT, IT devices, and operational technology in the same network is commonly referred to as a flat network.” The trouble with this model is that it enables an attacker whose gained access through a single vulnerability to move laterally across the network and compromise other systems.
The analysis contains precise steps healthcare entities can take to bolster IoT and thus the overall enterprise security program, to ensure device data is securely stored, transmitted, and processed, the device itself is protected, and overall vulnerabilities are reduced.
Entities should review the insights to better understand the importance of network segmentation, as well as the common threats to IoT, like privilege escalation via exploited bugs, unpatched vulnerabilities, or design flaws.