Wider use of IoT expands security risks for organizations
The number of wearable and implantable devices used to treat patients is growing rapidly, but because clinicians typically only focus on medical outcomes, data security will always be a secondary consideration for them, warns Ron Schlecht, founder and managing partner at BTB Security, a cybersecurity company.
“We need to engage business and clinical leaders in security outcomes,” he contends. “The biggest risk is that a medical device could be compromised and affect health or adversely affect the infrastructure in the hospital. Devices can be accessed via Bluetooth, and (hackers) can get into the hospital infrastructure without anyone knowing it.”
The increased use of wearable devices requires healthcare organizations to carefully assess the device and how it connects to hospital systems, he adds.
Another major device vulnerability remains the use of mobile nurse carts, Schlecht notes. Nurses want the carts because they have access to the electronic health record system almost everywhere in the facility. But the carts can pose a security risk if a nurse leaves it in the hallway to go in a patient room and doesn’t lock the computer screen. He suggests implementing software that locks the screen within 10 to 20 seconds if a nurse has walked away.
The mobility of patients and workers, as well as the sometimes urgent need to provide care, can leave gaps in security, Schlecht contends. In healthcare, patients often need immediate help, so providers need quick access to data. This ability to access information often is extended throughout a facility as patients move from department to department. That increases the potential footprint that hackers can access data.
However, Schlecht believes the biggest current data security threat is social engineering—hackers are getting better at convincing people to share network credentials that can be used to access an information or email system.
Hackers have ramped up their attacks; now, they are more likely to send phishing emails to 300 targets in a healthcare organization, using pitches that are more polished and seem plausible.
“Everyone in healthcare is getting better with security, but so are the attackers,” Schlecht says. “Healthcare organizations must engage for strategic security advice, and they need to engage clinicians to embrace security and make sure everyone is on the same page on how data will be protected.”