With recent advancements in technology, the healthcare space is changing. Specifically, new applications and connected devices are being developed to improve productivity and patient access to medical information. This is known as the consumerization of IT, in which technology tools and solutions focus on empowering the end user. In healthcare, this means the patient or physician.
Patients rely on mobile apps that allow them to more easily communicate with their physicians, as well as connected wearable devices that track vitals and other medical conditions. Medical professionals similarly rely on applications to reach patients and other physicians or specialists, in addition to leveraging tools such as electronic health records (EHRs) to centralize patient information.
The practicality of these devices has caused the global market for connected healthcare devices to soar – as it’s expected to reach $1.9 billion by 2022. Furthermore, it is estimated that the average hospital room contains 15-20 Internet of Medical Things (IoMT) devices.
While these developments seem largely positive for patients and medical professionals alike, they can pose many risks where the security of protected health information (PHI) is concerned.
Security Risks Presented by Connected Health Devices
Connecting devices to healthcare networks drastically increases the attack surface, offering more attack vectors that cyber criminals can exploit for network access. Moreover, though widely used, many IoMT devices were not designed with security as a priority. Often, these tools are running outdated systems, or are not supported with essential updates and patches as new vulnerabilities are discovered.
IoMT devices also introduce complexity into security processes. Each device comes with its own operating system and method of security, in which IT teams then need to become proficient. The more complicated these methods are, the greater the challenge in consistent management.
These risks are compounded by the fact that healthcare facilities are high-value targets for cyber criminals, storing patients’ personal, financial, and insurance information, which can easily be sold for profit on the dark web or used to conduct fraudulent activity.
Minimizing Threats with Network Access Controls
The adoption of these devices will continue to grow. Apple Watches, Fitbits, and even pacemakers are likely to be readily connected to networks, not to mention the personal devices of employees, patients, and guests on the network. As such, there have to be in-depth controls and evaluations of the security around these devices and the networks to which they connect to prevent harm. As Sonia Arista, National Healthcare Lead at Fortinet, notes:
“Increased telemedicine services and remote patient care will increase the cyber threat surface through additional devices and Internet of Medical Things (IoMT) connected to the network. To maintain consistent security enforcement and policy, organizations must increasingly leverage network access control tools for assuring visibility across the enterprise.”
Third-generation NAC solutions offer visibility into every device connected to the network. These solutions must offer three key features:
- Increased Visibility: As networks get increasingly crowded with devices, healthcare IT teams must be able to maintain visibility into each device on the network, as well as the activity of those devices. This simplified visibility into connected assets allows IT teams to segment the network based on the function of these devices, and more easily detect anomalous activity that might indicate a breach. When a potentially malicious device is identified, it can quickly be located and isolated.
More than just device visibility, modern NACs must offer administrative visibility, through its single integrated console. Ken Puffer, CTO for healthcare at ePlus notes:
“When you're managing fewer consoles, you have fewer technologies to train your staff on, which means that your team becomes more proficient and skilled with those particular technologies that you do put into place. This integrated visibility allows healthcare IT teams to identify anomalies more quickly and take action immediately.”
- Control: Access control is essential to the protection of sensitive healthcare data, ensuring that devices only have access to areas of the network that are essential to their needs. For example, while a physician’s device might be able to access the portion of the network that houses medical records, they would not be able to reach financial information of patients, and visitors would be limited in their access to the most basic guest functions. With network access controls, IT teams can assign access on a granular level. To limit lateral movement of potentially malicious devices, third-generation NACs enable organizations to create separate VLANs for IoMT devices.
- Policy Enforcement: Cyber criminals are leveraging automation technology to make their attacks faster and more accurate. This means that manual response times from IT team will not be sufficient, and remediation responses need to be conducted in “cyber-relevant” time. With this in mind, NAC solutions must be able to automatically respond the moment suspicious behavior is detected. Effective solutions will act immediately to quarantine IoMT devices that exhibit anomalous behavior. Once isolated, contextual information can be delivered to the security team for further analysis. This shortens time to resolutions and minimizes strain on the IT team – keeping them from having to evaluate each alert as it comes in.
Aligning Security with Overall Goals
When deploying new security tools, healthcare organizations should understand what these tools mean in the broader context of business goals and operations. This is where it is useful to work with a consultant that has experience and expertise in both the healthcare and cybersecurity fields. For example, ePlus works with healthcare organizations to determine the right tools to secure their network in accordance with who is using those tools, and what they are trying to accomplish. As Ken Puffer notes:
“It is about understanding the business. This really comes down to: what are the people that are using the technology trying to accomplish. How are they interacting with the systems? What is their role in the business? If we understand what the business and IT teams are trying to accomplish, we can design controls that will make sense to them and won't become an obstacle that they have to find a path around.
Anytime you create an obstacle, especially in healthcare, somebody is going to find a way around it. When they do that they're circumventing controls, and thus opening the organization up to risk.”
Healthcare organizations will continue to make use of IoMT devices for the convenience and benefit they offer patients and practices. However, they are advised to be careful in how this use can impact the attack surface, and make them vulnerable to data breaches. With next-generation, integrated security solutions selected and deployed with business goals and stakeholders in mind, healthcare organizations can continue to securely leverage the IoMT.
Learn more about implementing end-to-end security in healthcare networks.