The rise and risk of IoT in healthcare
Mon 8 May 2017 | Carson Sweet
Carson Sweet, co-founder and CTO at CloudPassage, argues why we cannot lose sight of compliance and security measures as IoT plays an increasing role in the healthcare sector…
Technology in the healthcare industry has evolved rapidly in recent decades, particularly with the advent of the Internet of Things. Currently, healthcare IoT offers the benefit of significantly increased situational awareness surrounding patient and hospital operations. However, this technology also introduces new and unfamiliar cybersecurity risks with enormous consequences to human life.
Spending on IoT in healthcare is expected to reach $117 billion by 2020. With this level of adoption, healthcare technology executives will have to rethink security in light of the vulnerabilities that will arise as a result of these new technologies. Let’s examine the risks posed by IoT in healthcare and some best practices CIOs can leverage to help mitigate them.
Lack of security
The use of IoT within the healthcare industry, including internet-enabled healthcare devices, inevitably raises cybersecurity concerns for both patients and healthcare providers. Healthcare is not alone: many high tech industries have been grappling with cybersecurity issues for decades now. The healthcare industry has the same challenges managing cybersecurity risks as any industry, including the advent of IoT devices. But given the potential impact on human life, the stakes and pressure are far higher.
Some manufacturers and software providers are adapting to new cybersecurity challenges more quickly than others, but there’s still a long way to go and learning on the fly is a high-risk approach. Losing a credit card number is problematic, but theft of medical data or the compromise of a medical device itself is something entirely more sinister and harmful, which is why a strong security posture is critical.
Data theft isn’t considered directly life-threatening, but it can have devastating implications on patients and providers. Imagine the impact if sensitive medical conditions suffered by thousands of patients were posted to public forums like Pastebin, or worse, if data were sold to extortionists. These data compromises could create HIPAA violations for the healthcare provider, which can be a very expensive and unpleasant experience from a business standpoint.
Since patients have very little or no ability to demand a certain type of device be used in their therapy, the responsibility falls squarely on the healthcare providers
An even more terrifying prospect is subversion of the devices themselves. Weaknesses have already been identified in internet-connected medical devices such as remotely manageable insulin pumps, internal defibrillators and pacemakers. Weaponization of these vulnerabilities transcend traditional cybersecurity threats, moving squarely into the realm of cyberterrorism. It’s the duty of healthcare providers, device manufacturers, software developers, and the healthcare industry as a whole to build thorough defenses against threats.
Early best practices
It’s still very early days for IoT in healthcare, but the promise is great and adoption is accelerating. Although the FDA has undertaken some activity to provide cybersecurity guidance related to medical devices, broadly accepted and battle-tested industry standards have yet to emerge. However, some common-sense best practices can be applied today that can significantly mitigate risks to healthcare providers and recipients. Many of these practices fit into two categories – device security and back-end systems security.
Since patients have very little or no ability to demand a certain type of device be used in their therapy, the responsibility falls squarely on the healthcare providers to make the right decisions for their patients up front. Device treatment capabilities, features and economics are all extremely important – but the security of the device, its management systems, and the data it generates is also very important.
Device diligence must be handled up front, because there’s very little recourse for poor security once a device is procured and very little appetite to replace devices even if there is recourse for poor security.
When purchasing medical devices, healthcare providers need to assess the extent to which the manufacturer is attending to security concerns. They need to do this with the mindset that compliance does not equal security – the purchaser needs to go beyond compliance punch-lists to ensure the manufacture and maintenance of the devices happen with security in mind. For the device itself, the buyer should look for well-defined and documented processes for implementing security mechanisms and using secure design practices in device manufacture. These security mechanisms and design constructs should also be subject to thorough testing to validate the security mechanisms they’re intended to provide; this testing process should also be clearly documented and evidenced. Significant security testing failures should be considered product flaws that create no-go conditions for device manufacture.
Another key area to consider is how the device is maintained post-manufacture. It’s inevitable that vulnerabilities will be found in any piece of technology once it’s released into the wild. Better security design and testing processes on the part of the manufacturer will mean this happens less often, but it will happen. This means it’s important to understand the manufacturer’s response when it does. The manufacturer should have a clear vulnerability response plan in place, including protocols to notify device owners (usually the healthcare provider) when a significant vulnerability is identified. Service-level agreements for time to resolve vulnerabilities should also be in place, with commitment to address more severe vulnerabilities more quickly. And of course, the ability for the device itself to have software upgraded relatively easily and quickly is critical – a device that cannot be updated can never have a vulnerability remediated.
Security of back-end management
Device security probably gets the most attention since it’s the most dramatic, and it’s important. Unfortunately, often overlooked are the back-end systems that manage devices, process the data they generate, and provide interfaces for administrators and healthcare providers. Because these back-end systems can often be used to compromise devices or data en-masse, they’re very high-value targets for attackers.
When selecting a device manufacturer, these back-end systems also need to be assessed and also with an eye to security as well as just compliance. Fortunately, standards for application systems such as these abound, making the job of assessment and monitoring simpler.
Protection is key when it comes to implementing cybersecurity solutions, but that protection must fit your needs.
For software that’s delivered to and operated by the buyer (e.g. on-premise software), similar security and compliance practices should be assessed as those considered for the devices themselves. Software development processes, secure design & development practices (e.g. using OWASP standards), testing for vulnerabilities, and an ongoing process for vulnerability detection, notification and remediation are critical. Also important is the impact of software upgrades to device operation, especially for buyer-managed software. If software updates regularly require management system outages, devices need to be able to handle the outage without impact to operation and/or data collection.
Device management and administration systems are often provided as SaaS applications to the healthcare provider. This means the device manufacturer (or sometimes a third-party technology provider) is responsible for ensuring security and compliance in the operation of the system, not just in its development. A thorough assessment beyond a simple SLA or compliance attestation is warranted. Operational compliance with HIPAA standards are a minimum, and necessary for healthcare providers to protect themselves against liability for HIPAA violations. Beyond compliance, the provider should adhere to sound technical and operational practices aligned with existing industry best-practices. Standards such as ISO 27001/2, Center for Internet Security Critical Controls, and (for cloud-based solutions) participation in the CSA STAR program are good starting points.
There are a lot of considerations that go into finding weaknesses within devices and systems and setting up the proper protocol and software to protect patient information. Cybersecurity is an ongoing process that requires the attention of trained professionals. If your organization decides to outsource security concerns to a software provider, make sure they address issues like compliance, automated notifications of security breaches, and providing an easy-to-use interface. Protection is key when it comes to implementing cybersecurity solutions, but that protection must fit your needs.
As with other industries, new and far-reaching technology is continuously introduced and implemented. Healthcare is no exception; cybersecurity will continue to become a more vital component of the industry over time. Whether you’re an individual provider or a larger organization, it’s important that security weaknesses are found and fixed quickly in order to protect the interest of patients and the organization as a whole against cyberattacks.
Standards and practices will evolve, and until then it’s important to apply currently available standards and good old common sense. Don’t forget that compliance doesn’t equal security. But most importantly, be thoughtful and diligent – your patients are depending on it.