Q&A: Securing IoT in the World of Healthcare

According to IBM’s 2016 Cyber Security Intelligence Index report, cyber criminals attacked healthcare more than any other industry last year, with more than 100 million healthcare records being compromised. As the use of IoT devices continues to grow in hospitals, we talked to Roger Bailey about the risks, and how to secure these increasingly distributed healthcare environments.

Q&A with Roger Bailey, Sales Engineer at Fortinet

How is IoT growing in the world of healthcare?

There are two sides to IoT in hospitals – the customer experience side and the administration/clinical side. It has truly become a consumer market for hospitals and other healthcare institutions. Organizations are being expected to provide new and improved patient care capabilities across the board, including hotel-like amenities. Patients are demanding the same comfort level they have when they're at home. That includes high-speed wireless for devices and access to Hulu and Netflix while sitting in bed. If you’re going to spend any amount of time in a hospital, you want to be comfortable. People can choose what hospital they go to, and they are choosing based not just on the quality of the care but the quality of the services provided.

What about IoT on the administrative and clinical side of the house?

Healthcare has been on the bleeding edge of IoT before IoT was a household word. Doctors have had pagers, then cell phones, long before most people had them. They have had PCs at every breaking edge, now it's smart phones and tablets. Doctors don't even carry medical documentation with them anymore. They get pharmacology reports, lab results, even medical and diagnostic images, sent directly to their devices.

Then there are the medical devices. The next time you go into an ER, look around and count how many electronic devices are there. One issue is the FDA regulates all medical devices that plug into the network (infusion pumps, EKGs, MRIs) so they are painful to update. They cannot put the latest and greatest software on there, and they don't have encryption. So for these institutions, one of the major pain points right now is securing those devices.

What are the dangers of IoT in Hospitals?

The first draw for cybercriminals is the data, and there is a lot of it. The longer someone stays in the hospital using their wireless devices, the more data is generated. And the medical devices themselves are constantly feeding information back-and-forth, so there is a ton of meta-data. What makes it even more challenging is the fact that this data is the most expensive and most coveted on the Dark Web. Healthcare client records go for between $400 and $500 per record, versus a credit card record at just $4, so you can see why the attacks continue to mount.

Then there is the danger of medical devices being hacked. Imagine an infusion pump in the ICU. A nurse sets the prescribed infusion rate of a medication, but someone hacks the device and starts pumping four times that rate into the patient. This can cause damage, paralysis, even death. All the while, the pump reads the original dosage. This is, of course, what happened with Stuxnet in Iran. Stuxnet took control of centrifuges that were separating nuclear material and ran them at a much higher speed than was safe until the centrifuges tore themselves apart. Then Stuxnet got out “into the wild” and opened the door to a whole array of industrial and manufacturing compromises.

And just recently, there a major IoT-based hack on the East Coast that took out huge sections of the Internet. Hospitals are acutely aware that all the connected medical devices they have deployed are similar to the types of devices that are being compromised, so they need to devise different ways to separate things and lock the data down at an application level.

What do healthcare organizations need to be thinking about from a security architecture standpoint as they move more into the world of IoT?

IoT takes your attack plane and flattens it. It makes everything accessible, it makes everything suspect, and there should be zero trust with regards to anything that needs to be PCI and HIPAA compliant.

Fortinet addresses these challenges with integrated healthcare solutions that include enterprise firewalls, internal segmentation firewalls, advanced threat protection, and a comprehensive Security Fabric that ties everything together – from endpoint devices all the way through to electronic medical records. Integrating your infrastrcture together enables application awareness, so you can always identify what applications are running within the medical practice, and synchronization so that deployed security resources can automatically coordinate a response to a detected security event. And internal segmentation allows you to lock up all your devices for PCI and HIPAA compliance, so they can do their job and traverse the network safely.

Another piece of the puzzle is analytics. It's not good enough anymore to be a reactionary IT department. You need to be proactive. You have to have a sandbox proactively scanning all the servers on the network looking for advanced threats that might've slipped through.

Finally, as far as the healthcare industry goes, security information and event management (SIEM) technology should be required. When a breach could put hundreds or thousands of patients’ sensitive information at risk, and cost your organization millions, you need real-time monitoring across your network and the ability to respond immediately to an event. Some of the recent mega-breaches we’ve seen in retail and other areas could have been avoided, or at least mitigated, if they have been monitoring and questioning unusual traffic within their networks. If you do not have a system that is proactively monitoring sensitive areas so you can respond to threats quickly, then you're doing your organization, and your patients, an injustice.

You can read more about Fortinet’s integrated and scalable healthcare security solutions online.

At HIMSS? Visit our cybersecurity experts in Booth #981 and learn how to deliver security without compromising patient care.