The United States has seen a marked increase in the use of electronic information, and a resulting increase in the level of exposure to cyber-attacks, which target an organization’s use of cyberspace for the purpose of stealing information or disrupting, disabling or destroying related information resources.
In 2013 President Obama issued Executive Order 13636 (EO),“Improving Critical Infrastructure Cybersecurity”, which called for the development of a voluntary Cybersecurity Framework to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for the management of cybersecurity risk.
In a September 2015 HealthcareITNews article, it states that by 2020, a staggering 26 billion Internet of things (IoT)-enabled devices will be installed worldwide. The Internet of things (IoT) is the inter-networking of physical devices, vehicles (also referred to as "connected devices" and "smart devices"), buildings, and other items - embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
Also in 2015, the Federal Bureau of Investigation (FBI) issued an alert to healthcare organizations and others warning of the serious cyber risks the IoT presents. Don’t you think if the FBI issues a warning, it's probably best to pay attention?
For healthcare security folks, this means paying closer attention to the myriad of IoT devices within their organizations. These IoT devices include HVAC remotes, Wi-Fi cameras, insulin dispensers, thermostats and any type of wearable and other medical devices. These devices, FBI officials said, are notorious for having serious security deficiencies. This, combined with patching vulnerabilities, make these IoT devices an attractive target for cybercriminals.
According to the FBI, there are three pressing risks to IoT devices, they are:
These risks could have profound consequences in the realm of healthcare, with the most adverse being the risk of criminals gaining access to unprotected devices used for remote patient monitoring of medication dispensing. The FBI wrote in their alert: "Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection.”
So, what can healthcare organizations actually do about all this? In 2015, the FBI offered a list of recommendations:
The IoT explosion is a game changer for healthcare security. Everything is moving faster than we thought, and even today many security vendors are not prepared. Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation. While Internet-enabled medical devices and electronic databases provide significant benefits for care delivery, networked technology and greater connectivity also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage new risks.
Because of the universal interconnectivity between devices, users and distributed networks, traditionally siloed security devices defending a single place in the network are increasingly ineffective. Even worse for most healthcare information technology (IT) teams, many traditional security standards and best practices are not as effective in addressing IoT challenges.
Hospitals can prepare and manage these challenges by viewing cybersecurity not as a novel issue, but rather by making it part of the hospital’s existing governance, risk management and business continuity framework. Hospitals should also ensure that the approach they’ve adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.
In 2017, over a million new IoT devices are being connected to the Internet daily, and that process is accelerating. Experts predict that as many as 25 to 50 billion new IP-enabled IoT devices will be deployed and online by 2020. As a result, the use of IoT has created an explosion of data that is designed to move freely between devices and locations and across network environments, remote offices, mobile workers, healthcare organizations and public cloud environments, making it difficult to consistently track and secure. It is also predicted that by 2020 over 25% of attacks on enterprises will be targeted at IoT devices.
Experts indicate that many of the security challenges surrounding digital transformation and the adoption of IoT can be managed through a combination of proven best practices and a better security framework. Central to securing IoT devices are high-speed authentication and monitoring; internal segmentation designed to monitor and protect distributed computing and distributed networking and to enforce and coordinate distributed security; and cloud-based security services that can track and defend devices and data distributed anywhere across the network of networks.
Security needs to tie together the entire distributed network and connect IoT devices and data to the edge, across the core and the data center, and out to the cloud. Using a distributed, and integrated, fabric-based approach to security that can cover the entire network of systems will expand and ensure resilience and secure computing resources. This approach enables organizations to effectively monitor legitimate traffic, check authentication and credentialing and impose access management across the distributed environment through an integrated, synchronized and automated security architecture. According to the FBI: "The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
The practical reality is that most IoT devices are not designed with security in mind. In fact, most IoT devices are headless, meaning they don’t have a traditional operating system or even the memory and processing power necessary to build in security or install a security client. This means that healthcare organizations must invest the necessary cybersecurity framework and processes to ensure their IoT are secure, and are available to be used for the care of their patients.
The Healthcare Sector Cybersecurity Framework Implementation Guide is available at this link: Healthcare Sector Cybersecurity Framework Implementation Guide. This guide incorporates the Health Insurance Portability and Accountability Act (HIPAA) Security Rule crosswalk published in April 2016 by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), in addition to other minor changes for clarity. The Guide is intended to help Healthcare and Public Health Sector organizations understand and use the HITRUST Risk Management Framework (RMF) to appropriately and effectively implement the NIST Cybersecurity Framework (CsF) in the HPH Sector and support critical infrastructure protection.
The risks are huge. With patient data and Internet Protocol (IP) stored on connected devices, hackers have the very real potential to completely limit a healthcare organization’s performance. Everybody is becoming more conscious about where their data is being held, and a hospital making a clear effort to show patients what their data is being used for will differentiate itself from the competition.
Would you buy a house that had no front door on it? No, that’s not likely. So, why would a healthcare organization buy a connected product with no security features in place? To inspire confidence for their patients, hospitals need to ensure they are supplying the lock as well as handing over the keys.