Healthcare is one of society’s most vital industries, yet many healthcare organizations are struggling to keep up with technological innovations, namely the Internet of Things (IoT) and cloud computing. In this guest post, Ofer Amitai, CEO and co-founder of a company that delivers network access control, visibility, management and policy compliance to ensure networks run smoothly and securely, provides ways healthcare organizations can control their exposure to risks.
The hesitance of some healthcare organizations is understandable, as making these changes could put lives at risk if the technological transfer fails or creates security concerns for the safety of patients’ protected health information and personal medical devices. While these concerns are valid, there are a number of benefits in making the shift to IoT and cloud computing technologies that causes organizations like MarketsandMarkets to predict that by 2020, healthcare spending on cloud services will reach $9.5 billion.
IoT is a big deal for health care because it has so many relevant applications. From personal medical devices, like pacemakers and insulin pumps, to vital hospital equipment for patient care and facility operations, the applications seem endless. Yet hospitals are concerned with the lack of security regulation for IoT devices and that by applying the technology known for increasing efficiency and productivity, they could be putting their business and even patients’ lives at risk. However, there are a few simple ways that healthcare organizations can control their exposure to risks from IoT devices using existing solutions in their data center.
Security best practices
Securing IoT devices beings, first and foremost, by gaining visibility into the connected endpoints on the network, including device parameters such as operating systems, anti-virus/anti-malware status, and running applications to identify potential areas of vulnerability. Once organizations know what’s on their network – a step that’s sometimes overlooked when it comes to IoT medical devices – they will be able to effectively prepare their IT teams to address areas of risk.
Another best practice is segmenting IoT devices (that often can’t be patched) into a separate part of the network, so that if they’re commandeered by a hacker, they can be easily contained and controlled. This creates a boundary between the IoT devices, sensitive medical records and other endpoints, such as laptops, PCs, etc., and other medical devices to control against lateral attacks across the hospital network.
Finally, another important rule of thumb is to change the default credentials of IoT devices connected to the network. The logon credentials of nearly 36,000 medical devices are listed on the Shodan network for Internet-connected devices, which makes them easy targets for hackers. Once these credentials are changed to unique passwords, hackers will have a harder time accessing the IoT device to carry out an attack.
While IoT transforms the lives of healthcare employees and patients, cloud computing has also shown its immense benefits in improving the management of healthcare data, as well as hospitals’ network infrastructure. Some of the top benefits of moving to the cloud for CSOs/CISOs in the hospital environment include: flexibility, reduction of capital expenditures, efficiency and improved doctor-patient relations.
With solutions like cloud storage, hospital data centers can store information off-site and make data accessible to patients and doctors in all locations. In addition, with data off-site, hospitals increase their resiliency to cyber threats and ensure business continuity, in the case of weather events or other disasters.
The move to the cloud also means hospital CISOs/CSOs no longer need to renew physical hardware and software to keep their data centers in compliance with industry standards, making investment in security appliances an operational expense as opposed to a hefty capital expense. Finally, cloud solutions are known for fast deployment, which makes time for data center professionals to engage in more essential tasks, such as monitoring the network for vulnerabilities.
Despite the wide range of benefits inherent in the cloud shift, CISOs/CSOs remain concerned with the security of these solutions. That’s why, in addition to deploying cloud security solutions, hospital data centers should ensure they have a full-proof security and mitigation plan in the case of a cloud outage or weather event (preventing Internet access, thereby preventing access to the cloud).
In addition, CISOs/CSOs should encourage a peer review system so that network security is being actively monitored in house, together with the cloud. Some hospitals have decided to categorize which data is relevant for storage in the cloud – patient health records and financial systems, for instance – as opposed to what is managed on premise, such as emails and security appliances. These are decisions that every hospital should make based on its business needs.
IoT and cloud computing have real value for healthcare industry because they allow for a democratization of patient-doctor relations like we’ve never seen before. Indeed, allowing patients full access to their healthcare records so they can receive adequate medical care from any location and any doctor is what IoT and cloud enable.
These advancements are great news for patients and doctors, but slightly worrisome for IT security professionals tasked with securing the hospital network. However, with enough planning and visibility into the hospital network, IoT and cloud can be embraced with open arms by the IT security community.
Ofer Amitai is the CEO and co-founder of Portnox, a company that delivers network access control, visibility, management and policy compliance to ensure networks run smoothly and securely.