Steps for Effectively Securing Internet of Things in Healthcare

These IoT devices are ripe for compromise. The reality is that these devices provide prime opportunities for hackers to do their worst including theft of patient data, ransomware, and even potentially compromise patient safety. Healthcare IT leaders are faced with the dilemma of keeping their network safe while providing the care their patients require through seamless interaction and uptime of all devices. Below are some tips for creating an IoT Healthcare Security Strategy.

Scalability and Automation

In an average hospital, there are typically several networked medical devices for each bed. Multiply that times the number of beds and add in other pieces of equipment such as MRI, CRT, and X-ray systems and you see that the number of IoT medical devices and systems can become quite large; much larger in fact than the number of actual laptops, PCs, and mobile devices used by caregivers and administrators. Managing access to and monitoring these IoT devices requires a solution that can scale and automate network-based administrative and management tasks. With the sheer numbers of connected devices, the network must be smart enough to automate secure connectivity.

Endpoint Protection: Securing Internet of Things in Healthcare

One of the first steps to gain control of your IoT network in your healthcare facility is to secure the endpoints. This goes beyond traditional endpoint protection implementations for PCs, laptops, and tablets as unsecured IoT devices present a much bigger threat of compromise. Using comprehensive network device monitoring tools in combination with a well-thought out network access policy management system, such as Aruba ClearPass, helps you get control of your IoT network and feel confident in its security.

1. Device Management. Medical IoT devices can be onboarded in a variety of ways, including 802.1X authentication with RADIUS, MAC authentication, agents, and MAC plus 802.1X or captive portal. Making sure that your system supports tracking the entry points greatly simplifies your manual tracking and device onboarding process.

2. “Fingerprint” the Devices. In basic terms, this means collecting information from the IoT device such as IP address, MAC address, and any other characteristics to help network managers understand what “normal” behavior is for that device. This is a critical step in detection of breaches, as any deviation from normal behavior could indicate malicious activity.

3. Profile the Devices. After going through the “discovery” and “fingerprinting” process, a good practice is to profile the devices so they can be classified. Contextual data (device attributes—such as name, type of device, IP address, MAC address, etc.) is gathered using network-based collectors. Once all the contextual data is collected, a profile is created for the device, which is used as a basis for policy management. Device data is continuously checked against the profile so if deviations occur (i.e. a medical device looks like a printer), the device can be removed from the network.

4. Create a Policy. A policy is only as good as the data used to build it and the tool used to enforce it. Find a tool that provides policy automation to effectively manage the scale of workflows required in a high volume IoT environment. Policies should be managed so that as new devices are introduced, they are profiled and added to the correct zone. This gives your organization tight control over how devices operate and communicate, resulting in better containment of threats when they emerge.

5. Monitor and Analyze Traffic. Make sure that you can automate information gathering from several sources and then analyze that data for odd behavior. Why? You need to be able to quickly identify devices to be removed from the network or quarantined before they cause an issue. That would happen, for example, if a medical device attempts to communicate with an accounting server, which could indicate a breach. When unusual traffic is discovered, systems like Aruba ClearPass from Aruba, a Hewlett Packard Enterprise company, can automate disconnection of the device from the network, minimizing the damage.

Secure Segmentation is Crucial

1. Securely Partition Traffic. At a high level, to prevent intruders from moving laterally across the network once they breach it, applications and services should be securely isolated from each other. For example, the network that delivers MRI data to the patient EHR database should be isolated from the network that supports connectivity between the payment card system and the backend financial systems. Guest wi-fi should be securely segmented from the network caregivers’ use to administer and manage care.

2. Elastic Connectivity. The concept here is to provide access and services to devices only when specifically required and authorized. Network access will only be available for the duration of the session and then retracted from the edge, to reduce exposure.

IoT healthcare security may seem daunting, but with these guidelines you’ll be well on your way to reducing the risk of compromised patient data or having life-supporting equipment locked down without proper controls in place.

Want to learn more? View our infographic to learn about the adverse effects of unsecured IoT in healthcare.

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

© 2017 Comport Technology Solutions. All rights reserved.

Bill Flatley, Field CTO for Healthcare

Bill is responsible for technical strategies and recommendations for Comport’s Healthcare clients. His extensive experience includes four healthcare systems in leadership roles supporting Clinical Applications, Digital Health, and Office of the CIO as the primary liaison between IT and the business.