Healthcare networks are teeming with IoT devices from glucometers to infusion pumps, but a study found that the majority of IT decision makers may be operating with a false sense of security regarding their ability to protect these devices from cyber attacks.
According to a survey of more than 200 healthcare IT decision makers, more than 90% of healthcare IT networks have IoT devices connected to the systems, according to a report released Wednesday by ZingBox.
"Typically you will see 10 to 15 IoT devices per bed in a hospital," says Xu Zou, CEO of ZingBox, defining a healthcare IoT device as anything that is portable and connected to the Internet.
But despite the large presence of these devices, the healthcare industry is largely operating under the assumption that traditional security measures for laptops and servers are fine for securing the medical Internet of Things, the report finds.
For example, 70% of survey participants give their seal of approval for using traditional security technology for medical IoT devices, and 76% say they are "confident" or "very confident" that these portable and connected medical devices are secure on their networks.
The difference in using traditional IT security verses IoT-specific security is that attackers' aim is to gain access to the portable devices, even though the payout of information could be greater if they attacked a server storing a database, Zou says.
"A lot of IoT medical devices are not protected and secure, so they are easier to gain access and control," Zou explains. "The attackers can control them and use them as a botnet."
This type of attitude may explain the recent results in a Ponemon Institute study, which found that while 67% of medical device makers expect an attack on their devices within the next 12 months, only 17% are taking significant steps to prevent it.
Mobile Security IoT's Answer?
Although there are number of similarities between mobile devices and medical "things," the security needs between the two are different, Zou says.
One of the key differences is that security patches and updates can be pushed to a mobile device, but the same is usually not the case for IoT medical devices that cannot receive software pushed to them, says Zou.
"You can push security software onto a laptop or server, but you can't do that with an infusion pump," he notes.
Additionally, medical devices that are used for direct patient care are heavily regulated by the Food and Drug Administration (FDA). As a result, a medical device maker may be hesitant to receive third-party software pushed to the device for fear it would nullify or affect the FDA certification it receives for its device, Zou says, noting the certification process can sometimes take five years or so to achieve.
As a result of these regulatory hoops, not one medical device maker uses third-party security software for their IoT devices, he says, adding that, according to Gartner, by 2020, 25% of attacks will be directly on the device.
"CISOs need to find a way to figure out how many IoT devices they have on their network," suggests Zou. "The No. 1 challenge is gaining visibility into this. You cannot protect what you can't see."
- Major Cyberattacks On Healthcare Grew 63% In 2016
- Medical Device Security Gets Intensive Care
- Medical Devices Fall Short in Security Best Practices
- IoT Security Incidents Rampant and Costly