Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/21/2018
09:00 AM
Chris Park
Chris Park
Partner Perspectives
0%
100%

Getting Started with IoT Security in Healthcare

There's a hazard that comes with introducing any new element into patient care whether it's a new drug or a connected device. These four steps will help keep patients safe.

It’s estimated that by 2025, more than 30 percent of all Internet of Things (IoT) devices will be dedicated to the realm of healthcare – more than in retail, transportation and the personal security sectors combined. Already today, practitioners are using IoT tech to conduct portable monitoring, enact electronic record keeping initiatives, and to apply drug safeguards – all efforts that are streamlining operations and delivering safer, more comprehensive care to patients.

Through 2018, the healthcare industry is expected to save more than $100 billion in operating costs thanks to connected devices. But operational expediency is only part of the larger story of how IoT tech is having such a huge impact on this industry.

There’s a hazard that comes with introducing any new element into patient care whether that’s a new drug or a connected device. Consequently, caregivers need to view new technologies through the same lens they do with the medicines or techniques they adopt by only changing methods and tools once they’ve been vetted and assured to actual deliver a benefit to patients.

But it’s a bit more complicated where healthcare IoT is involved since it’s not just the ability of these devices to operate effectively that’s a concern for patients and doctors. There are also serious questions around how secure these IoT tools are from outside threats, threats that could jeopardize patients’ wellbeing and personal security.

Here are four steps security teams can follow before introducing IoT devices onto their healthcare networks.

Step 1: Decide whether you want devices to use the same connectivity of the larger healthcare network, or if it makes sense to architect and manage a dedicated IoT network to support these new technologies. Depending on the scope of the existing network, it may be preferable to task a separate IT team with managing the IoT network, leveraging dedicated secure web gateways and defenses to parse the “high-volume” traffic that characterize IoT communications.

Step 2: Before introducing a device onto the network, teams should ensure that they are installing a two-factor authentication system, which is a standard for meeting HIPAA compliance as well as a best practice in the realm of Health IT.

Step 3: Intensive encryption is a must for IoT, especially considering the spontaneous nature of IoT communications, in that a device could be at rest for long periods of time before suddenly "waking up" and sharing data with a beacon or sensor in transit. As we explained in a recent article on the topic, full disk encryption won’t cut because it doesn't protect data in motion. This leaves important data vulnerable to bad actors.

Step 4: While an inventory of all the IoT devices on the network is a must, teams would be wise to take it a step further by flavoring this list with greater context. As IoT adoption ramps up, security teams should be able to easily reference where data resides in a "data bible," or "data dictionary" showing where data originates, where it travels and the transmission capabilities of each device.

Healthcare IoT can be transformative in seemingly endless ways, from automating mundane tasks to simplifying the most complicated ones. But these tools are only as useful as they are secure, and implementing best practices on day one is the smoothest path to reaping IoT’s rewards. 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.