In healthcare, the Internet of Things offers many benefits, ranging from being able to monitor patients more closely to using generated data for analytics.
But that increased flow of information also brings risks that health IT professionals need to address.
"There are so many benefits that come with these new connected devices," said Mike Nelson, vice president of healthcare solutions at DigiCert, a security certification company in Lehi, Utah. "But they also present some new risks and vulnerabilities that as an industry we haven't, I would say, firmly dealt with to this point."
Those risks include possible harm to the patient's safety and health, loss of PHI and unauthorized access to devices, Nelson said.
However, the healthcare community is beginning to address these Internet of Things (IoT) security issues.
"I think the issue is becoming relevant enough that we're now starting to see real collaboration occur," Nelson said.
He added that this collaboration among healthcare professionals to ensure healthcare IoT security is an indication that the risks are not hypothetical.
"I think that indicates, one, that the threat and the risk is real, and two, that it's becoming painful enough for some of the manufacturers and maybe some of the hospital providers that they're starting to do stuff about the issue," Nelson said.
The risks of IoT in healthcare
When it comes to healthcare IoT security issues, the list can seem overwhelming.
One problem is devices entering hospitals through a variety of channels, with some of these avenues being unknown, said Karl West, chief information security officer at Intermountain Healthcare located in Salt Lake City. One example of this is BYOD. When this happens it can be difficult to figure out the lifecycle management of that device and identify the operating system.
Furthermore, "because [devices] come in through a different process, they wouldn't necessarily have any common controls surrounding them," West said, meaning having passwords, encryption, and the latest versions of hardware and software on the device. When it comes to common controls, "that doesn't exist today."
Another issue, West added, is standalone devices that have developed networks and connectivity glitches. "With those connectivity issues comes transference and movement of data, and so data migration is occurring," he said. "We're unaware of it because they haven't come in through normal channels."
That level of concern goes up when someone -- a vendor, rogue IT staff member or maybe even a hacker -- puts standalone devices onto an isolated network. "I don't even know that that network exists, I don't know who put it in, I don't know how it's contained, I don't know if someone bridged that network to my network," West said. "So that's a huge issue for me."
He explained that some of these devices can also come onto the hospital's network without his network team knowing about it.
Consider this scenario from West: A medical device vendor puts a network connection together for 10 new devices, and then the vendor feeds those devices onto the hospital's network. It's a security headache waiting to happen.
Such a scenario is especially concerning, West said, because he hasn't been alerted that these devices have even been connected, which means multiple risks and vulnerabilities are introduced.
These vulnerabilities, which largely have not been addressed in healthcare, in turn can pose potential harm to patients.
"We don't have evidence that vulnerability in devices, or a cybersecurity issue in a medical device, has caused a direct patient safety issue," said Scott Erven, associate director at Protiviti, a consulting firm based in Menlo Park, Calif. "But due to these devices lacking evidence capture and forensic logging capabilities, I like to say that we have low assurance that something hasn't happened."
And while many would assume that the threat to a patient would come from an outside hacker with malicious intent, that notion is not always the case, Erven said.
"There were two individuals in Austria in a hospital that were hooked up to an infusion pump and felt their pain management wasn't under control," Erven said. These pair went online, found service documentation, got the hard-coded service credentials to their infusion pumps, logged in and upped their doses. The overdoses caused respiratory problems, Erven said.
"I think it goes to show that a patient that was on an infusion pump was able to figure out how to locate credentials on the Internet and log in to the device," he said. "That isn't something that requires advanced understanding or knowledge of a device."
What to do to achieve better healthcare IoT security
Despite these risks, it seems the healthcare community has accepted the fact that IoT is coming. In order to prepare and remain as secure as possible, there are steps that providers and manufacturers alike can take.
Firstly, "basic security hygiene" is a must, Nelson said, such as authentication. If this step is properly followed, device access is limited, firmware being sent to the device is verified, and device-to-device communication undergoes scrutiny, Nelson said.
Other basic security actions that providers and manufacturers can take include encryption and conducting a secure boot, Nelson said. A secure boot is making sure that when a device is turned on, none of its configurations have been modified.
It is also important to not just take inventory of all devices and applications, but also create a "data dictionary," West said.
"We recognized that having an application inventory doesn't solve the problem," he said. "You really need to know and have a data dictionary. That is, you need to know and have in a dictionary where all data resides, where it originates, where it moves, [and] what its transmission capabilities are."
Editor's note: This story has been updated to reflect that Protiviti is based in Menlo Park, Calif.
No compelling healthcare IoT business case yet, one CTO says.
IoT in healthcare is a market disruptor, according to expert.
IoT applications are making their way into healthcare.