By Troy Ament, Fortinet
Medical IoT devices have become essential for the healthcare industry to carry out many of its day-to-day responsibilities. From helping to stop the spread of COVID-19 throughout this year to assisting ambulances, this industry relies heavily on technology to get the job done. Unfortunately, connecting IoT or IoMT devices to an IT network expands the attack surface, and many hospitals are still running on older network systems. This adds new entry points for hackers to target.
There’s also been the issue of remote work. While doctors and medical professionals have been working primarily in the field, there are plenty of employees in any healthcare organization that were switched to working from home during, at least in the initial stages, of the pandemic. There’s also been an uptick in telehealth/telemedicine, which brings in new potential threats, as well as remote testing sites.
This challenge might have been heightened by COVID-19, but it is a long-term challenge that healthcare organizations now face going forward. By following the right best practices, however, organizations can ensure they’re staying secure and in compliance so that they can best care for their patients.
The Danger In IoMT Devices
Today’s coordinated healthcare values require connected medical devices as a fundamental component. Many patients rely on them to maintain their health, even when they cannot visit the doctor – think heart monitors, blood sugar level regulation, and chronic disease management. Unfortunately, these Internet of Medical Things (IoMT) devices are innately insecure and vulnerable to the same types of attacks that impact other technologies, putting patients’ health – and lives – at risk.
What makes this issue even more complex is that malicious actors don’t need to be within close physical proximity to compromise a connected medical device. Upon gaining access to a healthcare network – whether through a misconfigured or unsecured device, or vulnerable cloud data service or health system application – cybercriminals often have access to all devices connected to that network. It is imperative that the healthcare industry, including the developers of these IoMT devices, take steps to secure this technology moving forward.
The Rise Of Telemedicine – And Increased Threats
IoT security in the healthcare industry is changing with the rise of telehealth. The healthcare industry has a history of adopting new technologies to improve patient care. While the tendency is to think of physical equipment, like MRI and X-ray machines, there is another piece of the puzzle that has played a critical role in today’s changing healthcare landscape – telemedicine.
Telehealth technology and its use isn’t new, but widespread adoption has been relatively slow, according to the CDC. That is, until the COVID-19 pandemic. Healthcare organizations have recently made policy changes that make telehealth more accessible. They are now promoting the use of telehealth to deliver acute, chronic, primary, and specialty care.
But telemedicine can pose new cybersecurity risks, as with any technology. While remote care provides many benefits, it can also open the door for cybercriminals to access the networks of healthcare organizations. This is largely due to the way the technology itself functions, with software, applications, and physical devices working in conjunction to connect remote patients to their healthcare providers.
Remote Work And Remote Testing Sites
The third major area of concern when it comes to healthcare and IoT security is remote locations. Not only have many health administrative staff moved to working from home during the pandemic, but there’s also the situation of remote testing sites, which will likely continue throughout 2020.
For hospital systems, the ability to deploy rapidly to remote testing sites has been crucial during the pandemic – but regulatory compliance cannot be compromised. Information gathered from patients anywhere—even at temporary testing locations—is covered under HIPAA, and healthcare providers’ responsibility to protect this information from exposure remains the same even during the crisis.
Securing Healthcare IoT
As the healthcare landscape changes, healthcare organizations must actively ensure the safety of healthcare IoT. In addition to tools designed to secure distributed networks without compromising performance, such as secure SD-WAN solutions, healthcare IT teams should consider the following as they expand on their remote and IoT initiatives:
- A next-generation firewall solution (NGFW) that reduces complexity and meets performance needs while consolidating various security capabilities, such as automated threat protection and SSL inspection.
- A secure telephony solution that protects phone conversations between patients and doctors, as well as business data, with integrated security controls. This technology should be able to keep up with the high volume of traffic that telemedicine initiatives will inevitably bring about, both in terms of security and performance.
- An endpoint solution that provides secure remote access with a built-in VPN while enabling integrated visibility, control, and proactive defense. This should be coupled with an endpoint management system to enable scalable and centralized management of multiple endpoints.
- Wireless management solutions that offer secure connectivity between a remote location and an organization’s networks using pre-configured access points. In addition, healthcare IT teams should also consider combining their wireless access point with a next-generation firewall to maximize security while meeting performance requirements.
- A network access authentication (NAC) solution can deliver network access control to secure IoT environments and provide enhanced visibility, control, and automated response capabilities. They can also give detailed profiling of each device on the network and enables granular network segmentation and automated responses for changes in device status or behavior. This ensures each device only has access to approved items on the network.
Meeting The Need
For healthcare organizations to remain compliant and maintain patient trust, they need to consider all potential risks to ensure IoMT technology is not being exploited by threat actors. Use the best practices noted above to secure telemedicine, remote testing sites, and IoT medical devices to meet the health demands of this unique period of history without risking the safety of patients or their data.
About The Author
Troy Ament is Fortinet’s field CISO for healthcare. He brings more than 20 years of experience to Fortinet, transforming information technology and security programs, with 14 years in the healthcare sector as an executive overseeing clinical technology implementations, and serving as the chief information security officer (CISO) at two of the largest integrated health delivery systems in the U.S. Before joining Fortinet, Troy held the positions of CISO and Director, CISO chief at Sanford Health where he had oversight of the Security Technology, Security Operations, Identity and Access Management, and Governance Risk and Compliance (GRC) Teams.