The Internet of thing (IoT) is revolutionizing the world, influencing a broad array of industries in different ways: the global market of connected devices is expected to reach $163.24 billion by 2020.
If we analyze healthcare, the IoT presence in this sphere seems really beneficial: specialists in secured custom application development come up with smart solutions that contribute to physicians’ and patients’ comfort
The bright examples are home monitoring systems equipped with sensors allowing to control the state of health remotely, wearables able to track abnormalities, mobile apps that assist in taking pills on time or controlling medicines’ expiration date, smart beds, mobile EHR (electronic health records) applications, etc. Moreover, hospitals utilize the IoT to keep a close eye on medical devices and pills in stock, personnel, and patients.
However, there’s the other side of the coin, and the IoT expansion entails new risks and vulnerabilities, bringing severe headaches to security experts and harming patients.
To cite an example, Johnson & Johnson’s insulin pump turned out to be highly vulnerable due to the unencrypted wireless connection between the remote and the pump, giving hackers a chance to easily implement their malicious techniques: to trigger unauthorized insulin injections and access the entire hospital system.
Let’s take a look at some of IoT security challenges and analyze the ways to address them.
The BYOD (Bring your own device) technology, so widely used nowadays imposes a problem, as it’s complicated to control all the devices entering hospitals through an extensive range of channels (some of them unknown). With this technology it is not easy to find out the device lifecycle and recognize the operating system.
Beyond that, medical device vendors may introduce additional risks by putting standalone devices to the hospital’s network without the network specialist’s knowledge, thus, creating connectivity and network glitches that, in turn, lead to data migration.
Hackers may use connected medical devices to steal patients’ data for creating a fake ID and buying drugs or medical equipment to resell, filing fraudulent insurance claims, and more.
Besides, even accidental failures (intertwined with medical connected devices) that are regularly highlighted in various media outlets may put an end to these promising technologies.
So, what can be done to address the IoT security challenges?
1) Authentication
To guarantee patients’ safety, hospitals should ensure authentication. The two-factor authentication system (2FA) should be installed to access patient records, when a user is to provide auxiliary information to sign in (e.g. a retinal scan, phone text code, DNA sample, fingerprint, etc.), not just the login and password. Thus, there appears a possibility to limit the access to gadgets and systems and maintain a strict control over device-to-device communication.
If this point is successfully implemented, hackers are granted less chances for hostile activities.
2) Encryption
Another so-called basic security hygiene practice is encryption. It’s really convenient to get access to EHRs via mobile devices, but this procedure also entails security risks.
To minimize risks of data breaches and avoid negative outcomes like in Johnson & Johnson’s insulin pump case, it’s a must to encrypt data (both while it is in transit and stored).
As far as storage encryption is concerned, healthcare institutions should ask their vendor to use hardware-level encryption. Unlike software-based encryption solutions for mobile devices that decrease performance by exploiting such resources as CPU cycles and memory, hardware-level encryption, as a rule, does not have a tremendous impact on performance.
Data transmission encryption, however, is not less important. To ruin the chances of sensitive data being stolen, hospitals should control the boundaries of data access for gadgets by allowing to use the internal Wi-Fi network (not an external one) and forbidding to transmit data via the cellular network.
And security specialists, in turn, should ensure the encryption of the facility Wi-Fi network. Such encryption affects the connectivity speed, but it’s worth the trouble.
3) A secure boot
This practice is also aimed at avoiding additional trouble and ensuring IoT devices security. With a secure boot you guarantee that none of the configurations have been changed when the device is turned on, and that nobody has tried to tamper the device.
4) Data dictionary
Sometimes maintaining an inventory of all devices and applications is not enough, and it’s a clever idea to start a kind of data dictionary. Thus, you’ll know where particular data is stored, where it appears and moves, considering its transmission capabilities.
5) Education and training
With the emergence and usage of fresh technologies it’s essential to make sure that hospital employees are aware of new challenges, risks and that they know the ways to address them. Moreover, patients represent an indispensable part of the healthcare world (they are active users of IoT devices), so, raising awareness through clear and detailed instructions should not be ignored.
Conclusion:
The IoT has certainly brought considerable advantages to a variety of industries, positively affecting healthcare. Nevertheless, while relishing all possible benefits it’s vital to bear in mind all the arising challenges and timely respond to them.
[su_box title=”About Yana Yelina” style=”noise” box_color=”#336588″][short_info id=’100626′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.