The Internet of Things (IoT) has radically changed how providers and patients approach care by generating more accurate sensory data and making possible new avenues of treatment. For instance, in today's modern hospitals, everything from the ultrasounds to the automatic doors may be computer operated and digitally linked to the larger hospital network—just two examples of IoT technology, which describes devices with digital and computing capabilities that interface with the physical world. Other examples would be a smart watch that tracks your steps, or a programmable insulin pump.
Infographic: Are you ready to be a cybersecurity sentinel?
However, while the value of IoT devices is difficult to dispute, there is also a risk that they can act as vulnerable access points for cybersecurity breaches. The health care industry is frequently targeted by cyber-attacks, and hospitals must balance the security risks of IoT devices against their potential benefits. To that end, the National Institute of Standards and Technology in June released a report outlining some of the dangers of cyber-attacks on IoT technology, as well as steps institutions can take to help mitigate them.
The hazards of IoT devices in hospital systems
There are serious ramifications for health care organizations if one of their IoT devices is maliciously hacked. Third parties may be able to access confidential hospital documents or personal patient information, tamper with data that could lead to incorrect provider decisions, or make it impossible for staff to view vital information. Once in the system, attackers may be able to infiltrate the wider hospital network, compromising any digital materials (e.g., financial documents, EHRs). Moreover, if someone took control of IoT devices that are able to not only monitor the environment, but also to change it, he or she could impair hospital functions, such as by turning off the lights in an operating room or interfering with a patient's pacemaker. And the more IoT technologies a hospital adopts, the more potential vulnerabilities there are.
In fact, the ubiquity of IoT devices is part of what makes them so risky. Often, health care organizations do not know exactly how many IoT-enabled devices they have operating at any given time, making it virtually impossible to monitor each of them for possible breaches or ensure their security features are up to date. And many IoT devices are considered "black boxes"—we know what their inputs and outputs are, but we can't see the process taking place within the machine. With these devices, technicians can have a difficult time evaluating whether the device has been altered and often cannot add additional security features. Furthermore, conventional IT security measures may be insufficient for protecting IoT devices for a number of reasons, including the wide variety of software involved and the need to use the devices quickly in case of emergency.
How to mitigate the risks
Hospitals and health systems should not rely on their existing IT infrastructure to ensure that IoT devices are protected from cyberattack. They must instead adapt their methods to the unique circumstances IoT creates. Here are some steps you can take to protect your organization:
- Create and maintain an inventory of all of the IoT-enabled technologies in your facility or with access to your network so your organization can evaluate them for possible vulnerabilities and patch or update them as needed. If your in-house IT team doesn't have the requisite experience to oversee this process, it may be necessary to hire a third party that specializes in IoT security.
- Think about whether the benefits provided to clinicians and patients by a specific device outweigh the possible security risks, and if the steps needed to secure a device are worth it. For example, network isolation is a highly effective way of guaranteeing that infiltrating one machine will not grant a hacker access to the rest of the system. However, it can also render certain technologies designed for interoperability essentially useless by preventing them from interacting with the network.
- Secure staff buy-in, as clinicians and administrators are often the ones interacting with the technology on a daily basis. In the past, cybersecurity has taken a back-seat to care delivery. However, with more and more diagnostic and treatment procedures relying on IoT technology, the two are inextricably linked. Emphasize to staff that taking proper cyber precautions is just as important as taking proper clinical precautions. It protects providers, it protects the institution, and—most importantly—it protects patients.
Access our cybersecurity resource library: 5 steps to advance your cyber risk posture
Events of the past few years have magnified the interest, attention, and funding provider organizations must dedicate to cybersecurity resiliency. Most non-IT executive leaders now grasp the full weight and risk of unpreparedness.
Use this resource page to guide you through the following five steps for becoming a cyber-resilient organization.