10 Ways to Help Secure Medical IoTs in the Age of Digital Medicine
Hospitals and clinics rely on mobile, internet-connected medical devices (medical IoT devices) to deliver patient care. Many patients rely on medical IoT devices, such as smart continuous glucose monitors, ingestible sensors, and wearable asthma sensors. Made by different manufacturers and designed to be compatible with distant networks to share medical data, cybersecurity is often neglected.
According to a MarketsandMarkets research report entitled "IoT in Healthcare Market by Component (Medical Device, Systems & Software, Services, and Connectivity Technology), Application (Telemedicine, Connected Imaging, and Inpatient Monitoring), End User, and Region - Global Forecast to 2024,” the global IoT presence in the healthcare market size is projected to grow from USD 55.5 billion in 2019 to USD 188.0 billion by 2024, at a Compound Annual Growth Rate (CAGR) of 27.6%.
Citing an Atlas VPN report, a March 2020 CISOMAG article stated as follows:
83% of healthcare providers in the U.S. are running on outdated software. Based on cybersecurity firm Palo Alto Networks’ survey of 1.2 million IoT devices used in thousands of healthcare organizations across the U.S., 56% of devices were still running on the Windows 7 operating system, for which Microsoft discontinued support in January 2020.
Microsoft ceased patching Windows 7 earlier this year, meaning it will remain permanently vulnerable to threats without any additional defenses.
The failure to modernize security in medical IoT devices coupled with the significant spike in their projected growth will exacerbate the cybersecurity issues plaguing healthcare. For example, medical devices run on software that require updates from the manufacturers. If the device communicates through unsecured WIFI, the device is easily exploitable by bad actors delivering malware or malicious commands. Often though, these devices do not receive software updates recommended by manufacturers due to consistent use or lack of notifications regarding the needed updates.
For hospitals and clinics, the cybersecurity risks are far greater than stolen protected health information. Pacemakers can be hacked, leading either to an individual death or as more medical facilities use the cloud for data storage and sharing, the pacemaker becomes a portal for a malicious actor to prevent physician access to all patient data.
One of the benefits of capitalism is that the market will eventually force a solution. In the meantime, below are 10 ways for hospitals and clinics to minimize the cybersecurity risks posed by medical IoT devices (the most important is No. 10):
Encrypt patient data prior to transmitting it to the cloud and configure load balancers to only interact with HTTPS traffic (secured sites).
Ensure the hospital or clinic follows strict cyber hygiene protocols, with employee training on social engineering and spear-phishing attacks.
Implement controls on employee access to records and limit privileges within networks.
Arrange security requirements in new device proposals and vendor contracts. Further, ask product developers about their DevOps process, in which they continuously identify, correct, and validate the fixes for security issues before the software is finalized.
Empower and provide network administrators the tools to enhance monitoring for penetration attempts through endpoint protection software, which allows quicker response times to deactivate infected accounts or devices.
New medical devices must be thoroughly screened to ensure they are without vulnerabilities before being deployed in the field. Ensure that new devices can screen themselves to find disruptions and/or employ rudimentary defenses against malicious activity.
Only permit authorized administrators to update devices to ensure updates are done correctly and completed.
Ensure patients receive clear instructions on how to install and configure take-home medical IoT devices to ensure proper operation and a secure connection to transmit encrypted data to the doctor.
Implement a no-tolerance, “zero-trust” network policy to stop unknown/unmanaged items from attempting to connect to the network. Introduced by John Kindervag of Forrester in 2010, this approach is built on automatic distrust, requiring constant verification from users and applications before granting the required access.
Purchase and implement a unified endpoint management (UEM) platform. UEM is an umbrella platform that manages all devices in a central location to secure updates, patch vulnerabilities, conduct automatic hardware and software inventory tracking, logging, mobile device management, software deployment, and control remote workstations. In short, it allows IT professionals to manage, monitor, and control mobile, desktop, and IoT devices from a single location. Crowdstrike, Tanium, MobileIron with McAfee, IBM, Sophos, and others offer UEM services. Of course, the risk with such a comprehensive solution is that if the UEM becomes compromised, the entire network is as well. However, that risk already exists without the benefits offered by UEM.