Making healthcare IoT infrastructure safer
The Healthcare sector can benefit greatly from IoT devices. It can help improve the effectiveness of staff, operational cost savings, and even improve patient outcomes. However, it could also bring with them new security risks.
Connected devices are always a potential risk, so it’s imperative that healthcare institutions do everything they can to stem the flow of malicious attackers. To ensure this, a multi-layered security approach is needed to reduce these threats.
Know your network back to front
It is imperative that you understand exactly what devices and tools are running on your network in order to secure it. As more employees and users become more network savvy, it’s hard to keep track of what is being connected to the network because it’s no longer just IT professionals who are making the connections.
To combat this threat, a modern network access control solution is a great starting place, with a roles-based management and network segmentation solution. These solutions will enable network and security managers to set policies around ‘things’ and devices, meaning that not just anyone can connect to the network. On top of this, it’s also possible to set permissions on what data and applications they can access, as well as setting rules to who can manage and maintain these networks and devices.
These solutions monitor connections to the network automatically and can isolate without the need for IT staff to action the quarantine. Assigned IT staff will then be notified to take action against the suspected malicious incident.
The greatest security risks are people
Regardless of the technology in place, or the permission set into practice, individuals using and accessing devices remain critically important to educate, inform and monitor. Traditionally, unsafe practices are usually a result of a poor understanding and therefore, it’s key to regularly review and re-certify all staff members to understand the protocols in place to keep the organisation safe.
By creating a set of processes and practices with password hygiene and prompts, employees can do their bit in ensuring the network remains safe. Password prompts that are unique to the individual is key to building a strong protective perimeter with everyone owning, and protecting their own credentials, and ultimately the network.
Understand the roles of network users and devices
To ensure the efficient running of the network, it’s important to consider the myriad of devices that carry the ability to transmit data, locate them on the network, and consider how they could be used to create an integrated and innovative experience.
In healthcare, patient monitoring within a surgery ward could keep track of vital signs, such as heart rate, without physically attending the bedside. This ability could be critical in detecting a potential issue quicker and taking action (for example alerting a nearby nurse) without the need for caregivers to be everywhere at once.
Clearly, this use case is integral to safe and efficient running of healthcare institutions, and it also fits into part of the IoT puzzle within healthcare, helping those running the institutions to better make use of the equipment they already have.
- Blockchain can pave the way for a more value-based healthcare system, report suggests
- Navigating regulations to launch OTC consumer health products
- Making the Best Use of Patient Data for Effective Diagnosis
Use AI to search for changes
By bringing devices together in a single management platform on the network, security staff are better able to take a holistic view of all equipment and begin to build smarter security policies. The unfortunate truth is that, no matter how much planning and patience is put into securing a network, threats will find their way in.
Thankfully, for organisations that want to combat this to their utmost ability, AI-based machine learning is becoming more sophisticated in helping to identify early and mid-threat scenarios. Sophisticated Cyber-attacks manifest themselves slowly over several months but through leveraging analytics, this technology can spot changes in behaviour that often indicate that the profile of a user’s device is not conforming to usual patterns. In fact, a recent report showed that two thirds of breaches were perpetrated by insider actors, and not internal forces.
The combination of integrating a powerful Access Control solution, along with AI, allows suspicious devices or actors to be temporarily quarantined to support security teams to focus their precious time on analyzing only the most pertinent anomalies. The savings associated with this model is allowing IT teams to rebalance their workload to a more proactive security posture.
Connect your network and security
With the global rise of cyber-attacks, there can no longer be a disconnect between network and security teams. Primary security elements must now beembedded into the network to allow more sophisticated security policies to leverage the network to gate or grant access to bandwidth.
The challenge with this, is that historically some of these features were not embedded as standard but charged as optional extras. Therefore, devices and applications where able to bypass flaws in the network design, creating exposure to risk. Today, there are far more robust security features that are deeply embedded into the wireless and wired network allowing security teams to build around this in a world where the attack surface has grown exponentially due to mobility and IoT. This requires an inside out view of the security strategy.
Stop relying on default settings
It’s surprising to find the frequency of breaches that occur as a result of not changing default credentials and passwords. The fact is, most IoT-related breaches to date were as a result of organisations failing to update these details and have suffered as a result.
Vendors are now getting wise to this and have started offering more unique options than the standard ‘admin’ and ‘password’ defaults, which, surprisingly, is well documented on the internet. However, this does not require unique credentials for every connected device. Instead, role-based credentials that adhere to security recommendations for character length and combinations can be supplied to all of the same devices. In healthcare, this could mean that all door locks, or heart monitors that have their set roles, can have unique credentials.
For employees, having the correct login credentials based on their roles can access certain applications depending on the context of their location, device type and organizational governance. This allows security teams to use these parameters to set polices so that when they change a number of actions can be performed; ranging from multi-factor authentication to a security software update or perhaps quarantine for further inspection.
Step back and reassess
No matter how much effort is put into securing the network, the work is never really complete. Instead, organisations should always look to evolve and improve their practices as new technology and recommendations become available. This shouldn’t mean that everyone has to become experts in security. Rather, it would mean that organisations look at their vendors and partners for what is new and improving the industry. By taking all these steps security isn’t guaranteed but the healthcare organisation that takes its security hygiene seriously will mitigate for the majority of weak links whether that be People, Process or Technology.
Getting ready for cloud data-driven healthcare
As healthcare continues to recognise the value of data and digital transformation, many organisations are relying on the cloud to make their future-forward and data-centric thinking a reality. In fact, the global healthcare cloud computing market was valued at approximately $18 billion and is expected to generate around $61 billion USD by 2025.
At the forefront of these changes is the rapid adoption of cloud-based, or software-as-a-service (SaaS), applications. These apps can be used to handle patient interactions, track prescriptions, care, billing and more, and the insights derived from this important data can vastly improve operations, procurement and courses of treatment. However, before healthcare organisations can begin to dream about a true data-driven future, they have to deal with a data-driven dilemma: compliance.
Meeting regulation requirements
It’s no secret that healthcare is a highly regulated industry when it comes to data and privacy – and rightfully so. Patient records contain extremely sensitive data that, if changed or erased, could cost someone their life. This is why healthcare systems rely on legacy technologies, like Cerner and Epic EHRs, to manage patient information – the industry knows the vendors put an emphasis on making them as secure as possible.
Yet when SaaS applications are introduced and data starts being moved into them, compliance gets complicated. For example, every time a new application is introduced into an organisation, that organisation must have the vendor complete a BAA (Business Associate Agreement). This agreement essentially puts the responsibility for the safety of patients’ information — maintaining appropriate safeguards and complying with regulations — on the vendor.
However, even with these agreements in place, healthcare systems still are at risk of failing to meet compliance requirements. To comply with HIPAA, U.S. Food and Drug Administration 21 CFR Part 11 and other regulations that stipulate the need to exercise best practices to keep electronic patient data safe, healthcare organisations must maintain comprehensive audit trails – something that gets increasingly difficult when data sits in an application that resides in the vendor’s infrastructure.
Additionally, data often does not stay in the applications – instead healthcare users download, save and copy it into other business intelligence tools, creating data sprawl across the organisation and exposing patient privacy to greater risk.
With so many of these tools that are meant to spur growth and more effective care creating compliance challenges, it begs the question: how can healthcare organisations take advantage of the data they have without risking non-compliance?
Yes, healthcare organisations can adhere to regulations while also getting valuable insights from the wealth of data they have available. However, to help do this, organisations must own their data. This means data must be backed up and stored in an environment that they have control over, rather than in the SaaS vendors’ applications.
Backing up historical SaaS application data directly from an app into an organisation’s own secure cloud infrastructure, such as AWS or Microsoft Azure, makes it easier, and less costly, to maintain a digital chain of custody – or a trail of the different touchpoints of data. This not only increases the visibility and auditability of that data, but organisations can then set appropriate controls around who can access the data.
Likewise, having data from these apps located in one central, easily accessible location can decrease the number of copies floating around an organisation, reducing the surface area of exposure while also making it easier for organisations to securely pull data into business intelligence tools.
When healthcare providers have unfettered access to all their historical data, the possibilities for growth and insights are endless. For example, having ownership and ready access to authorised data can help organisations further implement and support outcome-based care. Insights enabled by this data will help inform diagnoses, prescriptions, treatment plans and more, which benefits not only the patient, but the healthcare ecosystem as a whole.
To keep optimising and improving care, healthcare systems must take advantage of new tools like SaaS applications. By backing up and owning their historical SaaS application data, they can do so while minimising the risk to patient privacy or compliance requirements. Having this ownership and access can propel healthcare organisations to be more data-driven – creating better outcomes for everyone.