IoT Cybersecurity for Hospitals
A real IoT hack happened last year that involved Jeep’s navigation system, terrifying car owners and sending manufacturers scrambling to release a security patch. Now imagine a similar IoT hack happening to a patient’s pacemaker. A scary scenario within the realm of possibility as hackers move towards exploiting weaknesses with devices tied to the internet, a.k.a. the Internet of Things. The Gartner Group estimates almost 6.4 billion devices will be connected via Wifi and the internet by the end of this year. By the end of 2020 they estimate a total of nearly 21 billion devices.
IoMT (Internet of Medical Things)
Hospitals will have a plethora of devices pinging the internet, sending and receiving information. From smart hospital beds to pacemakers their usage directly affects and improves patient care. These patient-focused devices create a sub-category, called the IoMT, or Internet of Medical Things. In addition to patient-focused devices, there are hundreds of other IoTs in a healthcare setting from pharmacy refrigerators to lab monitoring devices. Every single device, and there may be hundreds in a hospital, a potential entry point for hackers. Manufacturers’ admit they have not focused on security in their devices. A recent AT&T report found “85% of enterprises are in the process of or are planning to deploy IoT devices, but only 10% feel confident they can secure those devices against hackers.” Due to this vulnerability, Business Intelligence estimates 30% of the overall cybersecurity market in 2020 will be focused on IoT security. One last concern for Healthcare IT professionals, along with general cybersecurity concerns — IT staff need to ensure they stay within HIPAA guidelines, the FDA recently released Draft Guidance for Industry and FDA staff. It’s something every CISO (Chief Information Security Officer) should review.
Protecting Your System from IoT Vulnerabilities
Dr. Paul Chen, a cybersecurity specialist, says there are several points where manufacturers can improve security. They are:
- Devices have built in protections
- They can detect attacks in real-time
- They can quickly respond and recover from attacks
- They regularly update firmware and software
Of course, communication through IT alerting is critical for staying on top of security concerns. Knowing when your devices communicate, how they communicate, and if an attack occurs is critical for keeping hackers out of your valuable IT systems such as your EHR.
As a healthcare IT professional, there are measures you can take. SC Magazine suggests the following action list:
- Understand what you have and how are they connected to your networks
- Regularly scan for all network-connected devices and identify what they are
- New items need to be checked for how it operates, what it’s functions/capabilities are and how it can be secured.
- Disabling UPnP services where possible and firewalling where not, should be key
System integrity monitoring is a key practice in determining if any suspicious activity has taken place that could be the start of an IoT-based hack
When a system goes down, MTTR (mean time to repair) is critical. The biggest variable is MTTK (mean time to know). There are two components for MTTK:
- The device reporting a problem
- A human notified of the problem so it is addressed quickly
The Everbridge IT Alerting system can do both, including automatically escalating notifications if first responders are not readily available. You can learn more by requesting a 15-minute demo today.