James Thew - Fotolia
IoT security in healthcare presents a greater challenge for medical device manufacturers and medical facilities than typical difficulties associated with securing connected devices.
In healthcare, manufacturers must build with stricter adherence to security best practices, and devices go through a longer approval process before they can be implemented or device software updated. IT professionals in healthcare organizations must account for every connected device and ensure all medical personnel use best practices to keep protected health information (PHI) and personally identifiable information (PII) secure. Despite the challenges, the use of IoT devices in healthcare has improved the industry through remote monitoring for patient care and asset tracking for medical equipment.
Jonathan Langer, co-founder and CEO of Medigate, an internet of medical things management and security company, expects the number of connected devices in healthcare to increase and cyberthreats to grow with it. Here, Langer discusses the current state of IoT security in healthcare, best practices for connected medical devices and how the novel COVID-19 virus will push healthcare toward remote applications.
In general, what trends have you been seeing in the connected healthcare cybersecurity market?
Jonathan Langer: The major trend over the past two years is the connectivity trend, meaning that healthcare systems, just like other industries, have been seeing an influx of connected medical devices across the board in equipment like bedside patient monitors, infusion pumps and radiology. Just the sheer number of connected devices has grown significantly. The value of the data generated from these devices for more affordable care and improved patient sharing is so immense that the trend is very clear as to why this is happening.
What security trends have come from connected technology and what risks?
Langer: The problem with these medical devices is basically twofold, in terms of the inherent risk of the medical devices -- they house PHI and PII, which is very sensitive information. Also, they can be used as pivot points for cyberattacks to reach other PHI repositories in the network. It's not just a privacy issue; it's also a patient safety issue. You can only imagine what can happen if someone deploys ransomware on a medical device and shuts it down or does even worse. First and foremost, these devices are indeed critical infrastructure, and that poses risk.
The other risk, which is more on the technical front, is that these devices, which are primarily real-time embedded devices, have the ability to update software. However, updating software is complex. A medical device manufacturer would manufacture medical devices with a proprietary software installed on that device. That software, depending on how diligent and thoughtful the medical device manufacturer was at the time of design, may be more vulnerable or less vulnerable. Some medical device manufacturers do a really good job.
The bigger problem is that when new software vulnerabilities are discovered, the ability to remediate those vulnerabilities is not easy. It takes a lot of time compared to your laptop or smartphone, where you can get a software patch and just click a button to update immediately. Doing the same with medical devices is a much more complex process. It requires the manufacturer to deploy the patch and do the quality assurance process, because these devices pertain to patient safety. They're mandated to make sure that the device and software patched is, indeed, safe. Then the patch needs to be distributed to the devices in various healthcare systems. Those enterprises take time to update as well. Within that window of time, cyberattackers have a pretty good opportunity to take advantage of the situation. That's why, ultimately, this is a much more vulnerable environment.
What are the biggest threats that you see against medical devices?
Langer: Ransomware is prevalent, just because it's fairly easy. It doesn't mean that these cyberattackers are targeting healthcare specifically. It's a wide untargeted attack that also hits healthcare. Another attack, which you may have heard about is the WannaCry ransomware attacks back in 2017. That obviously hit healthcare.
Another risk that I would mention is the PHI risk. That's big in healthcare. Sensitive patient information has pretty stringent regulations and needs to be secured.
Last, is what happens if someone modifies the operation of a medical device -- maybe changes the dosage, anything of that sort. That is a very nightmarish situation. I don't know if it will happen or not, but we have to be prepared and think of the worst and make sure that our security safeguards don't let this happen.
What are the top recommendations you give to healthcare organizations?
Langer: The first best practice is understanding what's connected, called network visibility or inventory. It sounds basic, but it's a significant gap in many healthcare systems. Because of the diverse nature of the medical devices and the proprietary protocols that they use, it is a technical challenge. If you want to use different technological tools to take inventory or if you want to do this manually, it doesn't really matter. If you have a good baseline of what's currently connected to your environment, that's really the starting point in terms of best practices.
The other basic best practice is understanding which devices are communicating outside of my environment. Some devices need to communicate with the internet or with external IPs for maintenance. They do software updates and telemetry. I would make sure that I know which devices are communicating externally, and shut down the communication through a firewall, so that the rest won't be able to communicate externally. That will reduce risk significantly.
The third best practice is network segmentation, which is a complex process. It requires a deep visibility into the network and provisioning security policies around the medical workflow but will significantly reduce risk. Even if an attacker breached that firewall, the segmented nature of a network would prevent him from propagating across the network.
Jonathan LangerCo-founder and CEO, Medigate
What are some of the tools that healthcare organizations can use to help them with security?
Langer: I categorize this into two major tools. One, start with all the existing enforcement tools that organizations typically have, such as a firewall. Even if you have a firewall, you have to make sure not only that it's installed, but that it's enforcing policy that is relevant to these devices. If you have a firewall, but you don't have a policy that's specific to medical devices, you're not going to get a lot of value out of it. It's not going to protect user risk, and it's not going to protect you significantly around this new evolving challenge.
The other tool category that I would point out are those that analyze clinical data specific to healthcare -- tools like Medigate or other tools that compete with Medigate. These tools that give you complete network visibility around the IoT devices, including medical devices, but at the same time also orchestrate security policies that leverage those firewalls. The combination of those two tools together is really what's going to move the needle, in terms of your security strategy for healthcare.
Data privacy is a major concern when it comes to healthcare and there are a lot of regulations around it. What do those regulations mean for IoT security in healthcare?
Langer: Regulation is making a positive impact on the industry. Some of the regulations we're seeing in recent publications by the FDA [Food and Drug Administration]. There are other publications and more voluntary guidance being drafted as well that have already been communicated. The Cybersecurity Act of 2015, Section 405(d) initiative, for example, is a great initiative. The main advantage of these initiatives is that they enable the various stakeholders in healthcare to take some required action. For example, the FDA has been emphasizing that medical device manufacturers have to be more cognizant of the security best practices when they manufacture and maintain devices. Cybersecurity Act 405(d) is more focused on the healthcare systems and the best practices that they need to accomplish.
The main value is that both stakeholders -- the manufacturers and the healthcare systems -- are now taking action in order to mitigate risk. Everyone is accountable and everyone has the responsibility to increase security around healthcare IoT.
With the coronavirus, has the current state of healthcare changed anything you've seen as far as security or threats toward the medical system?
Langer: The COVID-19 virus has just put a spotlight on healthcare and how important this is for our nation and for the world. Cybersecurity is a big part of it. We have to make sure that our healthcare systems continue to function and continue to function safely. It is causing people to pay more attention. Now that more care will be administered remotely, it is increasing the attack surface. That's going to make it more of a security issue than it is today. There have been reports of increased cyberattacks as well. All of this together just increases the spotlight on this industry.
Do you think hospitals and healthcare facilities are going to focus more on remote care after this pandemic?
Langer: Absolutely. Some of this has been part of the government stimulus, or there's been talk, at least, around this. It's a trend that started a long time ago. Telemedicine isn't something new, but it seems to me that it makes so much sense, especially in the post-COVID-19 era. They want it efficiently, they want it safely, and they want it to lower the costs as well. That all points in the direction of increased telemedicine and, of course, there are additional challenges here on the regulatory side and on the clinical side, but it sounds to me like something that we should be expecting.