Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/21/2018
09:00 AM
Chris Park
Chris Park
Partner Perspectives
0%
100%

Getting Started with IoT Security in Healthcare

There's a hazard that comes with introducing any new element into patient care whether it's a new drug or a connected device. These four steps will help keep patients safe.

It’s estimated that by 2025, more than 30 percent of all Internet of Things (IoT) devices will be dedicated to the realm of healthcare – more than in retail, transportation and the personal security sectors combined. Already today, practitioners are using IoT tech to conduct portable monitoring, enact electronic record keeping initiatives, and to apply drug safeguards – all efforts that are streamlining operations and delivering safer, more comprehensive care to patients.

Through 2018, the healthcare industry is expected to save more than $100 billion in operating costs thanks to connected devices. But operational expediency is only part of the larger story of how IoT tech is having such a huge impact on this industry.

There’s a hazard that comes with introducing any new element into patient care whether that’s a new drug or a connected device. Consequently, caregivers need to view new technologies through the same lens they do with the medicines or techniques they adopt by only changing methods and tools once they’ve been vetted and assured to actual deliver a benefit to patients.

But it’s a bit more complicated where healthcare IoT is involved since it’s not just the ability of these devices to operate effectively that’s a concern for patients and doctors. There are also serious questions around how secure these IoT tools are from outside threats, threats that could jeopardize patients’ wellbeing and personal security.

Here are four steps security teams can follow before introducing IoT devices onto their healthcare networks.

Step 1: Decide whether you want devices to use the same connectivity of the larger healthcare network, or if it makes sense to architect and manage a dedicated IoT network to support these new technologies. Depending on the scope of the existing network, it may be preferable to task a separate IT team with managing the IoT network, leveraging dedicated secure web gateways and defenses to parse the “high-volume” traffic that characterize IoT communications.

Step 2: Before introducing a device onto the network, teams should ensure that they are installing a two-factor authentication system, which is a standard for meeting HIPAA compliance as well as a best practice in the realm of Health IT.

Step 3: Intensive encryption is a must for IoT, especially considering the spontaneous nature of IoT communications, in that a device could be at rest for long periods of time before suddenly "waking up" and sharing data with a beacon or sensor in transit. As we explained in a recent article on the topic, full disk encryption won’t cut because it doesn't protect data in motion. This leaves important data vulnerable to bad actors.

Step 4: While an inventory of all the IoT devices on the network is a must, teams would be wise to take it a step further by flavoring this list with greater context. As IoT adoption ramps up, security teams should be able to easily reference where data resides in a "data bible," or "data dictionary" showing where data originates, where it travels and the transmission capabilities of each device.

Healthcare IoT can be transformative in seemingly endless ways, from automating mundane tasks to simplifying the most complicated ones. But these tools are only as useful as they are secure, and implementing best practices on day one is the smoothest path to reaping IoT’s rewards. 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21652
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2021-21653
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2021-21654
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21655
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21656
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.