Even though it was many months back, I still remember the overwhelming joy I felt when my daughter was born and I saw her beautiful smile for the first time. But as my daughter was given her vaccinations, it reminded me of the responsibilities that come from being a parent: keeping children safe and protected.
As I strolled around the hospital, I began to notice connected medical devices in large numbers. This is when Gartner’s forecast of 20 billion connected Internet of Things (IoT) devices by 2020 started to sink in.1 This rapid adoption is quite understandable because the benefits of adopting IoT in hospitals are quite compelling. Use cases include asset management, remote patient monitoring, medical device integration and workflow optimization. A report from the National Institutes of Health notes that real-time location systems (RTLSs) will reduce capex while improving patient workflow.2 According to a report by GE Healthcare, real-time patient tracking enabled one hospital to cut its emergency department wait times by 68 percent.3
As a technologist, my mind started soaring with all the potential benefits that IoT can bring, but as a father my heart started racing with concerns about the insecurity of these things.
Most IoT devices are vulnerable since they cannot host third party security agents, run outdated or unsupported software, can’t be patched and often lack even the most basic security features.
According to Gartner, by 2020, 25 percent of healthcare attacks will originate from IoT devices.4 If a bio-medical device is hacked it can put patient health at risk and it can impact organizational health as well since attackers can enter a hospital network through these insecure devices and impact operations. A ransomware attack, for example, can bring a hospital’s operations to a standstill.
According to an IBM-Ponemon report, the per capita cost of a breach is highest for the Healthcare industry.5 Uses of medical records include filing fraudulent insurance claims, obtaining prescription medication and opening credit accounts.
Unfortunately, many organizations, even when they recognize these threats, don’t act to close these security gaps because of budgetary constraints. But threats aren’t going away. We saw a number of IoT-based cyberattacks in 2016, including the high-profile Mirai botnet attacks. These attacks are only expected to increase in 2017 and beyond.
With some research, I found out that in 2016, there were 450 healthcare breaches.6 Many hospitals were victims of ransomware attacks and had to pay ransom using bitcoins to get their data back. Other hospitals suffered from massive Distributed Denial of Service (DDoS) attacks. The FDA is tightening medical device standards.7 However, if lessons from securing personal computers and mobile devices are any indication, securing even more diverse sets of medical devices with innumerable operating systems will be exponentially more challenging.
So, an effective network security strategy becomes key in providing a strong perimeter around these unsecured devices.
I believe, just as vaccinations provide foundational protection for kids for the rest of their lives, clear visibility and control over the devices provide foundational protection for healthcare networks—because you cannot secure what you cannot see. Just as a vaccination marshals the body’s defense mechanisms to eliminate bodily threats, the cybersecurity system also needs to orchestrate system-wide threat response to eliminate cyberthreats.
As I look forward to seeing my daughter grow to her full potential, I realize that vaccinations alone will not be enough to secure her health. Secure healthcare delivery will be key too. So, let’s give some love to our medical IoT devices. Let’s make sure we see and secure them!
3 GE Healthcare case study: “Losing the wait,” http://www3.gehealthcare.com/en/services/hospital_operations_management/~/media/Downloads/us/Services/Hospital%20Operations%20Management/Case%20Studies/Aventura%20Case%20Study%200413r2.pdf
6 Beckers Health IT and CIO Review http://www.beckershospitalreview.com/healthcare-information-technology/2016-averaged-1-healthcare-data-breach-per-day.html
7 Washington Post https://www.washingtonpost.com/national/health-science/facing-cybersecurity-threats-fda-tightens-medical-device-standards/2013/06/12/b79cc0fe-d370-11e2-b05f-3ea3f0e7bb5a_story.html?utm_term=.d21e6e8c4c9b