Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What worries CIO Jon Russell the most about medical IoT

Some say that IoT is inevitable. While there are many benefits to IoT in healthcare, there are also risks. CIO Jon Russell shares what concerns him most about medical IoT.

Security is top of mind for many health IT professionals and it's no less a concern when considering the security...

of medical IoT devices.

Jon Russell, CIO of John Muir Health in Walnut Creek, Calif., thinks IoT will continue to grow in healthcare and this means health IT experts will have to answer questions about security and possibly make some trade-offs.

Russell discusses what he's most concerned about with IoT in healthcare and what features IoT security technology needs to have in order to be effective.

What are you concerned about when it comes to IoT in healthcare?

Jon Russell: I think IoT will continue to be pervasive in our lives. More and more devices will be network-aware and obviously able to be accessed by us in our daily lives. The question is, once again, how can we be sure that whatever's happening on that device is secure and we're comfortable with the flow of information from that device to whatever it's accessing and that's probably the biggest concern I have at this point particularly in healthcare. We have ... IV pumps that are on our network and we have to question, are those devices ... secure and is the information that's flowing from them back to whatever database they're hooked up to or the control of those devices, is it secure? And those are all the same questions that you have to answer around IoT: Is it secure and is the functionality worth the security risk? And that's the question that we have to answer on a day in and day out basis whether its IV pumps in our network or a [medical] IoT device at home or your coffee pot sitting on the counter, does that connectivity or functionality outweigh the risk of somebody being inside your network and doing something malicious?

Which are you most concerned about: Someone hacking into a medical IoT device and harming a patient or someone hacking into the hospital's network?

Russell: Yes.

The question is, once again, how can we be sure that whatever's happening on that device is secure and we're comfortable with the flow of information from that device to whatever it's accessing and that's probably the biggest concern I have at this point particularly in healthcare.


Those are all things that we're concerned about. Obviously the manufacturers have significant controls over the devices to prevent somebody from having access to a [medical] device and actually having control of it. I think we're pretty comfortable with the controls that are on the device not allowing somebody to control a pump or make adjustments to flow rates, et cetera. For me, personally, I'm probably more concerned about them maybe having access to the back-end system or the data that's on the back-end system, which means they have access to PHI potentially. Or using that device -- and a good example are the number of cyberattacks that have happened in the past around the country; they use that device to then move horizontally into other systems on your network. That's the other thing you have to worry about.

So every time you have a network device, someone can hack that device and then use that entry point to move horizontally in your network and that goes back to, as an example, having that visibility with vArmour (a software that segments workloads based on security requirements) allows you to see that inappropriate traffic flowing east-west and prevent that from happening because you have visibility into that traffic. There are things you can do to manage what's happening with an IoT device or a network-enabled device like an IV pump and manage that risk, but once again it's probably stuff that's more next-gen-type cybersecurity than what has happened in the past just with trying to control what's coming in and out of your network.

What technologies can help ensure medical IoT security?

Russell: Since I think it's become pretty obvious that there's no way to 100% be sure that you don't have unwanted access to your network you really have to start figuring out, how do I have visibility of absolutely everything that's happening within my network so when things are not appropriate in your network and there is inappropriate traffic moving between systems you know about that immediately and you can take steps to stop that unwanted traffic. So it really becomes a visibility question as well as in having some other layers that can stop processes like [endpoint security technologies] if something does happen, if someone does click on something they shouldn't click on it stops that process immediately. So that's kind of the change in philosophy. It used to be that we'd build this big moat and high walls around our environment and assume that nobody was inside and now you have to assume you have access inside and how are you going to manage that risk with visibility or the ability to control what happens when somebody does do something with an inappropriate link, et cetera, very quickly.

Next Steps

IoT security vulnerabilities are a nightmare for CIOs

IoT medical devices cause security concerns

FDA cracks down on medical device security

Dig Deeper on Internet of Things (IoT) Security Threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the challenges of IoT in healthcare and what are the solutions?
One solution I've proposed is what I call the Data Custodian Model, where the custodian is a platform responsible for storage and access to entity data; patient, IV pump, wearable, whatever. Using rules set by the entity(or controller), the custodian manages granular access to entity data and becomes the system of record for the entity. Data of the entity is posted to the custodian's interface for storage. This becomes the one place to store entity data, whether it comes from an EHR, or anywhere else.