The increase of IoT devices poses a new, modern challenge to the healthcare industry. From medical devices like heart monitors, x-ray machines, MRI/fMRI machines, and infusion pumps, the proliferate increase in said devices have contributed to the Internet of Things and thus have expanded the attack surface for data breaches and security hacks. A patient’s personal health information (PHI) are in more danger than ever. Perhaps even more frightening are the implications of malicious actors gaining control of patient health and safety devices, which will ultimately threaten the care and life of a patient.
Patient Health at Risk
As technology pointed towards a more wireless and interconnected world, every industry, not just consumer electronics, saw progress and benefitted from this paradigm shift. It’s really quite remarkable how patient conditions can be viewed from a tablet or how various health parameters could be switched by the touch of a bluetooth remote. The progress that we’ve made towards IoT medical devices have resulted in gains in productivity and convenience. However, to really seize this growth and reap all of its benefits, security must be in the forefront of discussion and prioritized, as most of these devices weren’t designed with security in mind. In fact, according to Gartner, 25% of healthcare attacks/data breaches will originate from IoT devices by 2020.
A Prescription for IoT Security
In 2013, U.S. Department of Health and Human Services, Office for Civil Rights (OCR) investigated a large medical institution whose network was vulnerable to unauthorized access via the wireless network, thereby exposing ePHI for approximately 10,000 patients. The result was a $2.75 million dollar settlement with OCR. Leaving ePHI unprotected can result in not only costly fines, but risks to brand reputation, stock price, and lack of HIPAA compliance.
A passive approach is to deploy distributed sensors that do not connect to the ethernet network, and remain autonomous in the environment. This eliminates any risk to the healthcare network and ePHI directly, and allows risks and threats to be reported back through an out-of-band method over LTE to the cloud. The SaaS can report and notify the team of identified threats to allow quick time to resolution, as well as automated mitigation approaches to minimize the window of opportunity for an attacker. This not only achieves HIPAA Compliance, but provides an audit trail of activity and reporting for the IT and Security teams.