Healthcare IoT Part 2: Keeping It Safe
Benefits abound for healthcare organizations harnessing the Internet of Things (IoT), or the Medical IoT—as do the implicit risks. After all, a dizzying array of connected devices provides more potential points of entry than ever to cybercriminals, whose thirst for sensitive patient data seems only to grow. As we have all recently experienced with the WannaCry ransomware attack, a simple virus with a potent payload, utilizing the end-users' failure to patch older operating software, provided a fertile environment for blackhats to exploit.
Despite the growing focus on patient data security, breaches are on the rise. More HIPPA-covered healthcare organizations reported data breaches in 2016 than in any other year since the U.S. Department of Health and Human Services began publishing its 'Wall of Shame' in 2009. Last year, the healthcare sector also experienced more large data breaches than ever (ones that affect 500 people at once). In fact, 2016 was the second-worst year on record in terms of the sheer number of people whose records were breached.
The good news is that healthcare IT teams can take meaningful steps to turn the tide.
Six musts for protecting sensitive patient data
Potential data breaches exist everywhere, from connected life-saving medical devices to EMRs. The following are six key strategies to consider in preventing them—and limiting damage if and when one occurs.
1. Evaluate your IoT security posture regularly. The volume of mobile devices, wearables, and wireless equipment under your team's care will only continue to grow, as technology and affordability converge to make truly connected care even more viable. To keep up with the fast-changing threat landscape, it is wise to constantly assess your program for vulnerabilities.
2. Make Mobile Device Monitoring (MDM) a priority. MDM should be a priority for all mobile devices including personal smart devices accessing Wi-Fi point within the medical institution plus secured two-factor authentication for access externally via a virtual private network (VPN).
3. Put protocols in place for device usage and monitoring. The more personal devices in use in a hospital, the more likely that essential firmware or malware updates will be neglected. It's all too easy for an employee's personal smartphone to become vulnerable to a data breach. Provide clear guidelines on how employees should use and update their devices.
4. Monitor your wireless network airspace relentlessly. Whatever security solutions your organization adopts, one rule of thumb applies to all: monitor, monitor, monitor. Periodic airspace monitoring is not adequate for protecting patient data. Instead, implement a continuous monitoring solution so IT managers can quickly pinpoint and remediate rogue access points and unsecured WLAN connections that put your entire network at risk.
5. Engage the C-suite. A strong security program doesn't just need one champion—it needs many. You need champions in the highest levels of your organization to ensure that data security is considered a core organizational objective. Personal accountability down to every end-user must be transparent, continuous, and ubiquitous.
6. Understand the human element. In 2017, OCR data and other third-party studies found that insiders were the number-one security threat in healthcare organizations. While some behavior is malicious, some estimates suggest that roughly two-thirds of attacks are a result of human error, such as employees falling for phishing scams, using misconfigured servers, or other unintended missteps. That's why it's vital to train all employees early and often in security tactics, and to provide regular check-ins and refresher security training.
From cloud security management to enterprise platform encryption and real-time backup, worthy security solutions are abundant. The patient data stream may be fraught with danger with the rise of the IoT, but with a rigorous IoT security strategy, you can keep your organization's cyber-defenses up, and vulnerabilities down.
*We'll be exploring this topic through additional posts that explore: how to make it interoperable, and how to win adoption. In case you missed it, here's the first post in the series: Healthcare and the IoT Part 1: Better Patient Outcomes with Connected Devices.