Best Practices for Medical IoT Security
Medical IoT devices have revolutionized the healthcare industry: tracking medication adherence, taking vital signs, even providing real-time alerts for medical emergencies. Unfortunately, that’s not the only industry they’ve revolutionized. Hackers looking to breach healthcare facilities and medical practices sometimes view IoT devices as a potential threat vector. A Capterra survey of medical professionals reported that in medical practices with over 70% of their devices connected to the Internet, the likelihood of experiencing a cyberattack is 24% higher than in facilities with fewer IoT devices.
No facility should have to lower the quality of its medical care because of cybersecurity threats. That’s why it helps to know the best practices for medical IoT security. Where are the most vulnerable threats in your organization, and what can you do to secure them? In this post, we’ll explore some of those best practices, including steps you can take to improve your security from day one.
Best Practice #1: Secure Unpatched Hackable Devices
“Unpatched” devices refer to devices using applications that contain existing vulnerabilities. The problem is that these vulnerabilities and security issues have not yet seen software updates (or “patches”) that fix them. This leaves you with an “unpatched” device where hackers may know their precise vulnerabilities thanks to information that is publicly available. For example, did you know that 75% of infusion pumps out there right now have unpatched vulnerabilities?
Securing these unpatched devices might sound complicated, but there are solutions you can use to bring your devices up-to-date and secure. There are a few top solutions like Medigate by Claroty and Palo Alto that offer a multi-tiered solution for addressing your problems:
- Discovery: These solutions discover 90% of devices within the first 48 hours of service. It uses machine learning solutions to evaluate the status of all your medical IoT devices—including features that can remain ongoing, which helps you remain secure, even after you’ve addressed this issue.
- Segmentation: Once you’ve identified the issues, you can segment specific IoT devices and isolate them from the rest of your network, making your medical devices less vulnerable to attack. Think of this like creating “water-tight compartments” in your IoT vulnerabilities.
- Updating: When you find medical IoT devices that have relevant updates and potential FDA recalls, you can then bring them back into compliance with these solutions.
Doing a single one-time evaluation isn’t enough, rather you must ensure that you are continually monitoring your medical devices. Medigate can provide continual monitoring of your medical devices, ensuring that as soon as you secure these devices, you won’t have to worry about missing out on patches, or leaving one medical IoT device behind.
Best Practice #2: Using Zero Trust Network Access
Zero Trust Network Access (ZTNA) is the highest standard of network security enforcement—you might know that from the name itself. It all comes down to one issue: it’s not always the IoT devices that are the vulnerability. Oftentimes, it’s the people using them.
For example, let’s imagine someone working at your medical facility who picks the easiest password imaginable. Even if you’ve done a lot of work to secure your devices and patch them with the latest technology, low standards for user entry can be a vital weakness. All a hacker has to do is guess the right password and they’re in—leaving the entire system vulnerable. As we noted in our Zero Trust Network Access blog, a study found 94% of data breaches are “credential-based,” meaning that a hacker simply found their way in by hacking user credentials. The same study found that 99% of those breaches were completely preventable.
ZTNA raises the standard of authentication at the point of entry. Rather than trust that anyone entering the password is the correct user, for example, the device might ask for dual-factor authentication. With dual-factor authentication, a user has to not only remember the password, but they have to prove it’s them by using the code they receive on, say, their phone.
ZTNA also ensures that network access control means that there’s less trust for any user who gets in. Rather than allowing a user to access whatever they want, user permissions are segmented—more “need-to-know.” This means that even if you do have a breach through a user’s credentials, a hacker can only access the limited segments that come with that user’s permissions. In this case, a breach won’t automatically mean total vulnerability throughout your entire network.
Best Practice #3: Network Access Control
Let’s say there is a breach in your organization. What can the hacker access? Network access control will have a lot to say here. By setting specific network access policies in your organization, you limit the damage an individual breach can do.
Many network providers are now offering a ZTNA-based approach for securing your network, making it much easier to manage. For example, your network access policy can grow cumbersome if you have to change every user’s permissions manually any time there’s a change. But network providers like Aruba Wireless and Arista Networking can now include automated policy control, making it easier to unroll these new network policies without having to hit every switch and dial along the way. For example, the Aruba ClearPass solution can provide organizations with what they need to easily manage employee access levels and secure “rogue” devices that might be a security vulnerability.
With these new solutions, Comport can help you choose the solution that works for your team. Create the network access your users need while enhancing the total security of your network—all without frequent cumbersome tasks for your workforce. Newer solutions don’t just think about network segmentation in simple terms, they address user permissions by multiple variables: applications, which users are using the applications, and viewable content. If you secure your network, your medical IoT security is also heightened by default.
Best Practice #4: Network Security Assessments
What if you don’t know which vulnerabilities you first need to address? Work with a firm that can take a look at the security if your network. Comport, for example, offers assessments like our Security Assessment or Aruba Wireless Assessment that can look at either your security or your overall network to develop a strategy to optimize either. Think of an assessment as the ounce of prevention that’s much easier than the pound of cure. They are a must when it comes to medical IoT security because they reveal what you don’t know, not what you think you know.
Best Practice #5: Create End-to-End Protection
It’s no longer safe to secure at the edge or at the core, you need to look internally as well. Newer solutions will provide secure communications for IoT data transfer and storage between the IoT sensors both on the edge of your network and in the core. This allows you to scale medical IoT devices while still ensuring security of your network.
MIoT (Medical IoT) is great for patient care because it provides a wealth of information we never had before however, like other technology, this type of technology needs to be secured, keeping patient data safe. Use the best practices above to ensure medical IoT security with the latest standards—all without interfering with your ability to focus on the important work of helping people with their healthcare needs.