Saryu Nayyar | Forbes.com
The average home is being overrun by Internet of Things (IoT) devices, including thermostats, cameras, doorbells, sprinkler systems, Smart TVs, kitchen appliances and more.
Now, let’s consider medical and hospital settings. These have become IoT-enabled as well, with a wide range of medical devices now being interconnected, including blood pressure, pulse, respiration and temperature monitoring systems that can be centrally accessed from nursing stations. According to reports, modern hospitals will typically have at least 10 connected devices per bed, and this number is increasing rapidly considering the market for connected medical devices is growing at a CAGR of 27.6%.
Unlike home environments, the security risks associated with IoT devices in medical applications can have life-or-death consequences. Meanwhile, security vulnerabilities in medical devices are well documented. Last year, one U.S. Food and Drug Administration advisory revealed that 11 vulnerabilities were found in IPnet, “a third-party software component that supports network communications between computers.”
For healthcare providers, medical device security boils down to the following requirements:
- Protect IoT devices from threats, including denial of service (DoS), patient data theft and asset damage.
- Prevent therapy manipulation attacks that attempt to gain access to IoT medical devices and alter patient treatment. This may be accomplished by taking control of a device that provides treatment or modifying patient data that will result in unintended treatment.
- Ensure that compliance requirements and security best practices are implemented because medical device regulations are constantly evolving for both manufacturers and healthcare providers.
Protecting medical IoT devices, however, poses some unique challenges. First, many healthcare providers have small IT budgets and limited security staff, and maintaining network-enabled IoT devices may be the last thing on an IT administrator’s mind. Change management cycles can be even more difficult in a healthcare setting because finding the time to take medical systems out of service can be difficult. It’s possible to plan a server outage, but what happens when it’s necessary to update the firmware on a computer-controlled respirator that’s keeping a patient alive?
Another issue common across many medical IoT devices is the lack of firmware updates. Many of these devices weren’t designed with maintenance in mind. And even the ones that were can take months between an exploit being identified in the wild and the patch coming out to rectify it.
Medical devices, specifically ones that are directly involved with monitoring patients or actively keeping them alive, have an additional challenge. If a vendor botches a patch, lives are at stake. Because of the consequences of failure, medical devices have very strict change management and patch validation routines. They have to be thoroughly tested because failure is not an option. Unfortunately, all these factors combine to make medical IoT devices especially vulnerable to attack and equally difficult to maintain and defend.
While keeping medical IoT devices secure is challenging, it is possible by following some best practices:
1. Keep devices patched and isolated to minimize their exposure to potential attacks. Healthcare providers that rely on a third party for their security operations must ensure that IoT devices are monitored for threats and required maintenance.
2. On the defensive front, make sure adequate tools and processes are in place to detect threats quickly and mitigate them before the damage can spread. Consider the following range of available options:
- Behavior-based analytics that can identify threats in near-real time based on the behavior and activity associated with compromised systems, users or devices.
- Traffic monitoring systems that can identify IoT devices and their control servers and monitor them for any unusual or unauthorized traffic.
- Deception technologies that can deflect attackers away from production resources and devices and provide an early warning when an intruder has breached the environment.
3. Implement a process to check IoT device firmware and patch levels during routine maintenance to make sure they are up to date. By combining manual and automated validation, it’s possible to identify devices that have been compromised but may be dormant in terms of their potential threat to the environment.
4. Tighten system and service access controls to prevent malicious insiders from using their own credentials, or stolen ones, to abuse IoT devices in the environment.