Recently, I came across an article in a newspaper that described a cool healthcare innovation: smart bandages. These bandages will use 5G and wireless networks to track the healing process. To me, this is super interesting, especially because it goes beyond typical healthcare. There are so many applications for this technology to treat injuries of all kinds. Even with today’s modern medicine, you don’t know if an injury is healed until you unwrap the bandage, which usually requires another trip to the doctor to give you the thumbs up.
Imagine if you could unwrap the bandage at home after an app dictates it’s safe to do so. The smart bandage app is continuously connected to a server, collecting, monitoring and correlating data — and gathering results that can be shared digitally with a healthcare provider as needed. Very cool.
However, while this technology has a lot of really interesting applications, it does make me slightly concerned. If healthcare firms and practitioners don’t apply the correct infrastructure to support IoT devices like these, they risk inadvertently exposing their corporate networks and the patient data stored within.
Healthcare tracking … everywhere you go
Years ago, I read a great short story by former Google executive Christian Baudis. This story described a day in the life of a man whose every move was tracked by devices. Life as he knew it was dominated by an environment that looked a lot like what we now call the internet of things, but obviously taken to a sci-fi extreme. For example, in this fictional world, cash didn’t exist; payment was done by a chip attached to human skin.
Another device was a health-tracking scanner that changed the way practitioners managed patient care. The story was more focused around some of the philosophical implications and obvious benefits of such technology. But, as a cybersecurity professional, I thought it was particularly interesting to imagine the people managing this technology.
For example, you would need a lot more IT managers that have crossover experience in human biology and medicine. In the story they were called DQPs, which was short for “digital quality providers.” But in the real world, how easy would it be to recruit staff that is competent in both areas? I could see a lot of hospitals choosing to train their existing healthcare workers in basic IT skills so they could maintain the scanners. However, this raises concerns about how well they would know the technology. Would they have the same understanding of patient data and security concerns as a fully trained IT professional?
How safe are connected healthcare devices?
If you apply those same learnings to the real world, it raises a number of questions around these new smart bandages. Let’s assume you have a smart bandage and the server that is collecting every patient’s data and storing it within a hosted data center. Assuming it had the latest protection from outside access, like firewalls, intrusion prevention systems and advanced threat protection systems, it sounds pretty safe, right?
But what about access from within? What if an adversary — a rogue user or disgruntled administrator — uses the LAN to gain access to the server? What if the smart bandage itself is hacked into and the data is manipulated or tainted in some way? A determined hacker could easily access your health records and possibly provide instructions based on incorrect data. That same hacker could even gain access to other sensitive data available digitally on the hospital network.
We’re seeing broad and rapid adoption of IoT devices, especially in the healthcare space, but with a profound lag in cybersecurity precautions. Being able to see these connected devices and being able to control and manage them is imperative when it comes to minimizing the vulnerabilities these connected devices can create.
IoT is today’s problem
When new technology, such as connected plasters, is announced, it always spawns a lot of discussion around the future and how this technology will impact the workplace. However, I would be remiss to mention that millions of IoT devices are already installed on healthcare networks around the world, collecting increasingly detailed data on their patients.
It’s time to stop thinking of IoT as a problem for tomorrow. Being able to discover, classify, assess and continuously monitor devices, including personally owned and agentless medical devices, will enable healthcare firms around the world to feel safe in the knowledge their data is secure. Additionally, regulatory measures, such as HIPAA and HITRUST, are increasingly demanding healthcare firms enforce security posture and regulatory compliance policies. These are necessary to notify users, restrict or block access, and automate network segmentation.
The moral of the story: IoT is cool and new use cases and innovations are becoming available daily, proving that Christian Baudis’ vision of a connected world wasn’t very far off. But keep in mind, proper visibility and control of IoT devices is key to keeping networks (and patients) safe.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.