Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/21/2018
09:00 AM
Chris Park
Chris Park
Partner Perspectives
0%
100%

Getting Started with IoT Security in Healthcare

There's a hazard that comes with introducing any new element into patient care whether it's a new drug or a connected device. These four steps will help keep patients safe.

It’s estimated that by 2025, more than 30 percent of all Internet of Things (IoT) devices will be dedicated to the realm of healthcare – more than in retail, transportation and the personal security sectors combined. Already today, practitioners are using IoT tech to conduct portable monitoring, enact electronic record keeping initiatives, and to apply drug safeguards – all efforts that are streamlining operations and delivering safer, more comprehensive care to patients.

Through 2018, the healthcare industry is expected to save more than $100 billion in operating costs thanks to connected devices. But operational expediency is only part of the larger story of how IoT tech is having such a huge impact on this industry.

There’s a hazard that comes with introducing any new element into patient care whether that’s a new drug or a connected device. Consequently, caregivers need to view new technologies through the same lens they do with the medicines or techniques they adopt by only changing methods and tools once they’ve been vetted and assured to actual deliver a benefit to patients.

But it’s a bit more complicated where healthcare IoT is involved since it’s not just the ability of these devices to operate effectively that’s a concern for patients and doctors. There are also serious questions around how secure these IoT tools are from outside threats, threats that could jeopardize patients’ wellbeing and personal security.

Here are four steps security teams can follow before introducing IoT devices onto their healthcare networks.

Step 1: Decide whether you want devices to use the same connectivity of the larger healthcare network, or if it makes sense to architect and manage a dedicated IoT network to support these new technologies. Depending on the scope of the existing network, it may be preferable to task a separate IT team with managing the IoT network, leveraging dedicated secure web gateways and defenses to parse the “high-volume” traffic that characterize IoT communications.

Step 2: Before introducing a device onto the network, teams should ensure that they are installing a two-factor authentication system, which is a standard for meeting HIPAA compliance as well as a best practice in the realm of Health IT.

Step 3: Intensive encryption is a must for IoT, especially considering the spontaneous nature of IoT communications, in that a device could be at rest for long periods of time before suddenly "waking up" and sharing data with a beacon or sensor in transit. As we explained in a recent article on the topic, full disk encryption won’t cut because it doesn't protect data in motion. This leaves important data vulnerable to bad actors.

Step 4: While an inventory of all the IoT devices on the network is a must, teams would be wise to take it a step further by flavoring this list with greater context. As IoT adoption ramps up, security teams should be able to easily reference where data resides in a "data bible," or "data dictionary" showing where data originates, where it travels and the transmission capabilities of each device.

Healthcare IoT can be transformative in seemingly endless ways, from automating mundane tasks to simplifying the most complicated ones. But these tools are only as useful as they are secure, and implementing best practices on day one is the smoothest path to reaping IoT’s rewards. 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
iboss has created the first and only web gateway as a service specifically designed to solve the challenge of securing distributed organizations. Built for the cloud, the iboss Distributed Gateway Platform leverages an elastic, cloud-based node architecture that provides advanced security for todays decentralized organizations with more financial predictability. Backed by more than 110 patents and patents pending, and protecting over 4,000 organizations worldwide, iboss is one of the fastest growing cybersecurity companies in the world. To learn more, visit www.iboss.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17368
PUBLISHED: 2018-09-23
An issue was discovered in PublicCMS V4.0.180825. For an invalid login attempt, the response length is different depending on whether the username is valid, which makes it easier to conduct brute-force attacks.
CVE-2018-17369
PUBLISHED: 2018-09-23
An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter.
CVE-2018-17400
PUBLISHED: 2018-09-23
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application.
CVE-2018-17401
PUBLISHED: 2018-09-23
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature.
CVE-2018-17402
PUBLISHED: 2018-09-23
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number.