Why IoT security is everyone’s responsibility
Few patients think about the potential security risks when they unwrap their shiny new fitness tracker or Bluetooth-enabled blood pressure monitor. A growing number of payers are offering incentives to patients who wear fitness trackers and achieve fitness goals. Providers are “prescribing” digital health tools with increasing frequency.
Yet, wearables and connected devices are quickly becoming healthcare’s biggest cyber vulnerabilities. A recent Forrester report indicated that in 2017 healthcare breaches will become as common as retail breaches, and more than 500,000 IoT devices will be compromised.
The dangers are clear: device breaches can compromise patient safety and privacy and also provide an entry point for attackers to access health systems’ networks. While every security expert on earth wishes there was a silver bullet that could eliminate cyber risks, no such “one size fits all” solution exists. Regardless of our role in the delivery of healthcare, cyber threats affect all of us, which means that everyone—regulators, device manufacturers, providers and even patients—has a responsibility to help mitigate risk.
With ever increasing urgency, the security of medical devices is now on the U.S. Food and Drug Administration’s (FDA) radar. For the second time in two years, the agency recently released cybersecurity guidance to medical device manufacturers. The guidance focuses on managing security risks after connected devices have been deployed in market, either on a hospital’s network, a patient’s home network or in a patient’s body. The FDA advises manufacturers to establish and maintain a process for identifying hazards, evaluating and controlling risks and monitoring the effectiveness of security controls.
The FDA has taken a significant step in offering this guidance to the community. The intent is to work with device manufacturers and community stakeholders to ensure a mutually agreed upon approach to advance cyber readiness in the manufacturing process.
Much of the responsibility for protecting against cyber threats from IoT comes from the device manufacturers themselves. While many legacy devices were not designed with security in mind, that is now changing as the industry grapples with the consequences of having vulnerable devices in market.
Device manufacturers have a responsibility and an obligation to stay abreast of FDA guidelines on security. At the same time, the reality of the situation makes it impossible to change the situation overnight. There are millions of devices currently in daily use. They may no longer be supported by vendors due to age, or because of changes in technology, they may be no longer updatable. It will take time to see all of these devices reach the replacement stage in their lifecycle. The security issue, and by extension the patient safety issue, will accelerate that timeline to some degree.
There are important steps provider facilities can take to ensure their network isn’t vulnerable to attacks originating with compromised devices. Larger hospitals and health systems with dedicated IT staff should ensure they have a good, stress-tested security program that allows them to identify, protect, detect, respond to and recover from security incidents. This includes segregating medical device networks and monitoring security events at the network level. Hospitals should also outline specific cyber security requirements and request disclosure of device cyber security properties as part of their purchasing process.
Smaller, independent provider practices are more vulnerable because most lack the resources and infrastructure to have a sophisticated security program in place. However, there are steps they can take to practice good security hygiene, including:
- Raise security awareness throughout the organization by sharing examples of phishing scams and explaining the importance of cybersecurity.
- Change the default password on any device installed.
- Diligently back up systems and keep back-ups offsite.
- Install security patches and system updates in a timely manner as they are sometimes issued as the result of an active threat.
These tips raise the security profile of any organization, even if they don’t apply directly to a medical device.
The onus is on the industry to ensure devices are as secure as possible, however, there are best practices that patients as consumers should follow (most of which apply to any internet-enabled devices, not just medical technology), such as:
- Don’t rush through device set-up, and take time to understand and get acquainted with the security features the device offers.
- Understand that devices often default to low-security features unless settings are adjusted. (That’s a nice way of saying: “change the default password!”)
- Create strong passwords and update them on a regular basis.
- Store devices in a safe place when not in use.
- Keep software up-to-date, as updates are often issued due to a specific security issue in the older version.
- Be thoughtful about downloading apps. While it may not be possible to test an app for security vulnerabilities, do research to see if other users have identified any. Apps can share data in unexpected ways and it pays to read any privacy policies offered – if it sounds like privacy and security are not the priority, avoid it.
Device security is the new frontier in healthcare’s cybersecurity battle, and everyone has a role to play. HIMSS has advocated for the adoption of a universal information privacy and security framework that takes a holistic approach to cybersecurity, such as NIST’s Cybersecurity Framework (NISTCSF). This framework incorporates use cases and provides implementation guidance that’s scalable for a range of healthcare organizations and providers of any size.
The battle won’t be won overnight, but by making cybersecurity a priority and by working together, the industry can take meaningful steps to address this important issue that affects us all.