Security is top of mind for many health IT professionals and it's no less a concern when considering the security...
of medical IoT devices.
Jon Russell, CIO of John Muir Health in Walnut Creek, Calif., thinks IoT will continue to grow in healthcare and this means health IT experts will have to answer questions about security and possibly make some trade-offs.
Russell discusses what he's most concerned about with IoT in healthcare and what features IoT security technology needs to have in order to be effective.
What are you concerned about when it comes to IoT in healthcare?
Jon Russell: I think IoT will continue to be pervasive in our lives. More and more devices will be network-aware and obviously able to be accessed by us in our daily lives. The question is, once again, how can we be sure that whatever's happening on that device is secure and we're comfortable with the flow of information from that device to whatever it's accessing and that's probably the biggest concern I have at this point particularly in healthcare. We have ... IV pumps that are on our network and we have to question, are those devices ... secure and is the information that's flowing from them back to whatever database they're hooked up to or the control of those devices, is it secure? And those are all the same questions that you have to answer around IoT: Is it secure and is the functionality worth the security risk? And that's the question that we have to answer on a day in and day out basis whether its IV pumps in our network or a [medical] IoT device at home or your coffee pot sitting on the counter, does that connectivity or functionality outweigh the risk of somebody being inside your network and doing something malicious?
Which are you most concerned about: Someone hacking into a medical IoT device and harming a patient or someone hacking into the hospital's network?
Those are all things that we're concerned about. Obviously the manufacturers have significant controls over the devices to prevent somebody from having access to a [medical] device and actually having control of it. I think we're pretty comfortable with the controls that are on the device not allowing somebody to control a pump or make adjustments to flow rates, et cetera. For me, personally, I'm probably more concerned about them maybe having access to the back-end system or the data that's on the back-end system, which means they have access to PHI potentially. Or using that device -- and a good example are the number of cyberattacks that have happened in the past around the country; they use that device to then move horizontally into other systems on your network. That's the other thing you have to worry about.
So every time you have a network device, someone can hack that device and then use that entry point to move horizontally in your network and that goes back to, as an example, having that visibility with vArmour (a software that segments workloads based on security requirements) allows you to see that inappropriate traffic flowing east-west and prevent that from happening because you have visibility into that traffic. There are things you can do to manage what's happening with an IoT device or a network-enabled device like an IV pump and manage that risk, but once again it's probably stuff that's more next-gen-type cybersecurity than what has happened in the past just with trying to control what's coming in and out of your network.
What technologies can help ensure medical IoT security?
Russell: Since I think it's become pretty obvious that there's no way to 100% be sure that you don't have unwanted access to your network you really have to start figuring out, how do I have visibility of absolutely everything that's happening within my network so when things are not appropriate in your network and there is inappropriate traffic moving between systems you know about that immediately and you can take steps to stop that unwanted traffic. So it really becomes a visibility question as well as in having some other layers that can stop processes like [endpoint security technologies] if something does happen, if someone does click on something they shouldn't click on it stops that process immediately. So that's kind of the change in philosophy. It used to be that we'd build this big moat and high walls around our environment and assume that nobody was inside and now you have to assume you have access inside and how are you going to manage that risk with visibility or the ability to control what happens when somebody does do something with an inappropriate link, et cetera, very quickly.
IoT security vulnerabilities are a nightmare for CIOs
IoT medical devices cause security concerns
FDA cracks down on medical device security
Dig Deeper on Internet of Things (IoT) Security Threats
Related Q&A from Kristen Lee
Two experts agree: AI will become essential to healthcare. AI can help providers step away from the EHR and enable precision medicine. Continue Reading
Vendors demonstrate that interoperability is possible when it comes to patient medication information. This makes CIOs hopeful for the future. Continue Reading
Healthcare should be getting ready for the cloud. At least, that's what one health IT expert thinks. Read his thoughts on cloud computing healthcare ... Continue Reading