Energy and passion ran high at the HIMSS18 Conference, with nearly 40,000 attendees turning out for this global event, which showcased the best and the brightest in the world of healthcare. The main theme of this year’s conference, which took place in Las Vegas, was innovation with a capital “I”.
And right alongside it were the triple hot topics of security, asset management and consolidation – as evidenced by the expanded HIMSS Cybersecurity Command Center where Forescout exhibited. The HIMSS18 hub for healthcare security doubled in size this year, featuring solutions and services from more than 70 security vendors.
From the enormous variety of networked medical devices that I saw demonstrated on the crowded exhibition floor, it’s obvious that healthcare is continuing its technology revolution fueled by network-connected Internet of Things (IoT) devices. From wireless wearables and Wi-Fi video conferencing tablets to portable electrocardiography (ECG) monitors and smart pill bottles, the possibilities are endless.
At HIMSS18, everyone was excited about the great benefits of these innovations: cost reduction, better and more timely healthcare delivery and seamless information sharing across medical devices and doctors. But, as promising and awe-inspiring as these advancements are – as I emphasized in my presentation at HIMSS18: “The Good, the Bad and the Downright Dangerous” – they also present a high degree of risk.
Walking the exhibit floor, I discovered another theme that had emerged was concern about security in a world of increased connectivity, data portability and a growing attack surface. This was made palpable by a hive of white hat hackers who demonstrated in real time how vulnerable IoT medical devices, and the patient data they store and share, really are.
If we look at the statistics, we see why. Healthcare is a priority target on attackers’ radar. Last year saw 477 breaches1. The patient data of one in four Americans has been stolen.2 And the costs are among the highest of any sector: $380 per capita, per data breach3. Plus, HIPAA fines4 have been mounting over recent years, so there’s no doubt about it – the pressure is on.
Nearly every single meeting I attended with my colleagues covered the security and management challenges of IoT – and one concern that many security and IT professionals reported is that their asset management strategy for discovery and management of biomedical gear was rudimentary at best. Compounding this is the expanded use of IoT devices that has both transformed the healthcare landscape and complicated security. In the past, there were just a few device types and operating systems. Now there’s a growing number of devices, with hundreds of operating systems, and a wide variety of form factors and capabilities. In our conversations, we focused on how we could help safely enable the onslaught of these devices while not waiting for FDA/manufacturers to deliver the expected security, patching and management capabilities that are needed.
Visibility and asset management of these devices is limited not only due to the nature of the devices themselves but also as a result of mergers and acquisitions. Two providers we talked to have over 200 locations in their network! One CISO remarked, “If you’re not eating up smaller firms and practices, you’re preparing to be eaten. There’s no ‘sitting still’ anymore.”
Also in attendance was Matt Hartley, Forescout’s regional vice president specializing in commercial and federal market segments. He clearly summarized the dilemma faced by healthcare technology teams: “Providers are experiencing a wave of consolidation and business diversification that’s unprecedented in recent history. Regardless of business drivers, provider CIOs and CISOs are being asked to secure an ever-expanding estate while simultaneously bringing on more biomedical IoT to enable countless patient care initiatives.”
The problem boils down to this: you can’t inventory, manage or protect what you can’t see. One undiscovered, compromised device can lead to a serious data breach, noncompliance, reputational damage or, worst of all, disruption of patient care. Plus, most breaches can go undetected for 3005 days – almost an entire year!
If you were unable to attend HIMSS18, click here to watch our presentation:“The Good, the Bad and the Downright Dangerous.”
To learn more about how to jumpstart a comprehensive asset management strategy, check out our blog: “Need a Strategy for Compliance and Asset Management at Your Healthcare Facility? Start with Visibility.”
3 2017 Cost of Data Breach Study, Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC
4 https://compliancy-group.com/hipaa-fines-directory-year/ and https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML