As a security and risk professional in healthcare, there’s one thing you can always count on – change is constant. Innovative ways of delivering quality care are dramatically transforming the digital landscape in this sector. One of the biggest game changers is the push for new Internet of Things (IoT) devices and other connected technologies designed to enhance patient care and save lives. While these innovations have enormous benefits for patients and caregivers, they come with new security and compliance challenges.
To put it in perspective, Gartner in their healthcare report estimates that “by 2020, the number of medical devices requiring security hardening by a healthcare provider will increase by 45%.”1 Verizon states that healthcare ranks number two in breaches, which is no surprise.2
IoT devices, such as glucometers, electrocardiograms and drug infusion systems are potential targets for hackers. No matter how much manufacturers have invested in hardening, nearly all IoT-enabled and Internet-connected medical devices are at risk. Considering the critical role these and other devices play in delivering critical care the patients, exploitation or manipulation of medical devices can be a matter of life and death.
Daily, you and your colleagues grapple with the implications of network-connected medical devices, and these issues are always top of mind:
- Compliance mandates, like HIPAA, HITECH and, most recently, GDPR, are upping the pressure to ensure the privacy of sensitive patient data. Every time a new medical IoT or legacy device connects to the network or to the Internet, the flow of patient data is impacted – and this complicates data privacy protection.
- The attack surface is growing. IoT devices use device-specific proprietary operating systems and don’t have the capacity to support agents. They are poorly secured. Plus, legacy medical devices and PCs dating back to Microsoft Windows NT or XP that were never meant to be Internet-enabled are now being connected – and these systems often lag on security patches and are incompatible with today’s latest defenses.
- Decreased visibility due to devices and the network in general often result from fast expansion and mergers and acquisitions. Systematic and effective IT asset management (ITAM) is essential. According to Gartner, “in a recent survey, 50% of enterprises stated they did asset management once a year, 20% stated once every 5 years”.3 But the problem is you can’t inventory, manage or protect what you can’t see. Without an accurate picture of what’s on your extended enterprise network, you’ll be at the mercy of hackers. Just one undiscovered, compromised device can lead to a data breach, and this can spawn disruption in delivery of patient care due to the spread of malware, fines for noncompliance, brand and reputation damage and other profound consequences.
If you’re scratching your head not knowing where to begin, take heart – there is a path to improving visibility and compliance as you undergo your digital transformation. Gartner offers some solid recommendations that can be achieved with the right approach and the right technology in its report, Top Three Security and Privacy Impacts of Connected Medical Devices on Healthcare Providers:
“Alleviate sensitive patient data risks and enable your healthcare organization’s digital business transformation by inventorying devices and sensitive data flow analysis – understand what devices you have, and what healthcare data devices transmit and to where. Perform an inventory across the organization to identify connected medical devices that transmit or store patient data across the network. There are some obvious examples, such as patient monitoring equipment, but don’t neglect things such as laboratory equipment and printers.”4
It’s apparent that an accurate and trusted asset repository is vital to establishing a robust security framework and to your ability to meet compliance requirements. Now how do you go about doing this? You can set the wheels in motion by using tools that give these essential capabilities:
- Agentless technology offers full visibility to IoT devices and unmanaged devices so that you have a more accurate inventory with no gaps. Look for a solution that also offers extensive, granular device classification covering traditional and non-traditional devices by function, operating system, vendor, model and other parameters.
- Say goodbye to periodic network scanning in favor of continuous, real-time inventory monitoring that starts the moment a device connects. That way, you can immediately see at-risk hardware, unauthorized software and even transient personal (BYOD) devices.
- In a mission-critical medical environment, active scanning can seriously disrupt delivery of patient care. Make sure your solution offers a passive scanning option that you can control and adjust according to your needs.
- The ability to share information about your devices in real time with your ITAM tool gives you an up-to-date view of state changes and network-connected assets.
- If your organization has a heterogeneous, multivendor environment resulting from recent acquisitions, your best bet is a vendor-agnostic solution with a flexible architecture.
Start on your compliance and ITAM strategy today. Start by downloading the Gartner report, Top Three Security and Privacy Impacts of Connected Medical Devices on Healthcare Providers.
Note: I will be presenting at HiMSS, The Good, the Bad, and the Downright Dangerous: Connecting the Internet of Things to Medical Networks and Infrastructure on March 7 @ 3:00 p.m. – 3:20 p.m. | Veronese Booth 8500 | Cybersecurity Command Center. Please stop by and share your story.
1 Gartner, Top Three Security and Privacy Impacts of Connected Medical Devices on Healthcare Providers, Saniye Burcu Alaybeyi, Marc-Antoine Meunier, Gregg Pessin, 27 September 2017
2 “2017 Data Breach Investigations Report,” Verizon
3 Gartner, Discovery, Security, Management and Disposal: The Life Cycle of Hardware Assets in the Enterprise, Tim Zimmerman, September 2017
4 Gartner, Top Three Security and Privacy Impacts of Connected Medical Devices on Healthcare Providers, Saniye Burcu Alaybeyi, Marc-Antoine Meunier, Gregg Pessin, September 2017