By Reda Chouffani
A connected healthcare where patients can transmit data back to their physician to monitor their vitals after leaving the hospital has been a dream for many. The ability to leverage connected devices to capture and transmit relevant health information from a patient's heart monitor while at home or record oxygen levels while in the operating room shows the power of medical devices. But with the recent debilitating distributed denial of service attacks against some of the top DNS servers, such as those used by Amazon, many IT executives have had to question whether or not their IoT strategy is still safe or even possible.
In October 2016, parts of the east coast experienced outages that affected a number of online services. The outages were the result of connected devices such as DVRs and IP cameras that hackers turned into botnets to repeatedly send web requests to overwhelm web servers and take them down. This coordinated effort shows how IoT security vulnerabilities can be used remotely to cause significant damage.
These IoT security vulnerabilities are not limited to connected cameras and DVRs. There are a number of other consumer and enterprise devices that can be just as vulnerable as these recently affected devices. This means that all connected medical devices used for patient care must be carefully evaluated and additional precautions must be taken to ensure patients are not the target of future attacks.
Hospital CIOs who recognize the benefits of connected devices and potential risks associated with them must take the appropriate steps to ensure their devices can't be used during cyberattacks.
Know what devices you have
It goes without saying but an IT department must know what each and every device connected to their environment is and what it's there for. With the rise in the number of connected medical devices inside and outside the hospital, leveraging a tool that helps keep visibility of the different endpoints is a must. This helps monitor which devices are online but also maintains visibility of which ones may need to be updated when needed.
Always keep the connected devices up to date
IoT devices must be treated and maintained the same as workstations and servers. They too receive software updates which may include important security fixes. It becomes imperative for IT to maintain those devices and keep them up to date.
Keep the devices on their own separate network
Maintaining multiple networks or VLANs for IoT devices is beneficial for a hospital network. This enables IT to better protect some of its core networks that host the EHR and other hospital systems in case an IoT attack occurs, and gives clear visibility of traffic patterns of the devices.
Monitor activities within the environment
If at any point a device within a hospital is hijacked by hackers, suspicious data transfers and activities are likely to follow. A hospital should always monitor network traffic including the different destinations and sources of communication. With the appropriate monitoring tools, any suspicious activities will raise a red flag and enable IT to further investigate in order to address it.
Choose devices that meet compliance criteria
Device manufactures who deliver solutions to the healthcare market recognize the sensitivity of the data and the need to comply with HIPAA requirements. For that reason, many of them put a clear emphasis on taking the appropriate steps to include robust security features that can ensure the devices are better protected and data is secured. Hospitals should always know what specific steps have been taken by the vendor to meet the HIPAA and in some cases FDA recommendations or requirements.
It is certainly troubling to find out that millions of internet connected cameras and DVRs sitting in the homes of many consumers were used to attack Amazon's DNS servers and other online services. These IoT security vulnerabilities raise concerns that one day connected medical devices can be used for a similar purpose or even worse, used to harm patients by altering their functions. CIOs have the ability to take the necessary steps to ensure they are prepared and protected, but vendors must also ensure that their products are well designed and include all the right security protections to make it hard for hackers to take over their devices.