Health care organizations should develop a strategy to mitigate cybersecurity risks associated with connected medical devices.

Photo credit: Martin Barraud, Getty Images

With health care experiencing accelerated adoption of the Internet of Things (IoT), demand is skyrocketing for connected medical, operational and personal “things.” Not coincidentally, attacks on health care organizations are also rising, with numerous high-profile breaches having been reported this past year.

Although many IoT devices offer extraordinary benefits for improving patient outcomes, staff effectiveness and operational cost savings, they also bring with them new security risks. Instead of just targeting employees with sophisticated email phishing schemes, hackers now can exploit vulnerabilities in any type of connected device, right down to your light bulbs.

That’s why the latest cybersecurity best practices call for a multilayered IoT security strategy to mitigate threats and reduce risks. These seven steps can help organizations to develop a comprehensive cybersecurity game plan while ensuring that they won’t become the next headline.

Step 1. Know what’s on your network

Understand how to secure the network that supports IoT infrastructure begins with knowing what’s running on it. Assuming it’s a great network, people will want to connect devices to it. Otherwise, what’s the point?

Further, it’s no longer just information technology (IT) staff who are connecting devices via wired ports or wireless systems. Practically every hospital staff member is skilled enough to connect a device. In other words, no matter how hard an IT team tries to establish guidelines and procedures, someone will always connect something unexpected.

This makes modern network access control (NAC) solutions the first line of defense, the best of which offer granular centralized, role-based management and network segmentation. Such solutions enable policies to be set regarding which devices or things can, and cannot, access a network, as well as what data or applications they can access and who has the ability to manage or maintain these devices.

Such solutions monitor connections 24/7 and automatically quarantine anything that doesn’t fit. Simultaneously, an alert about a quarantined device goes to the individual assigned.

Quickly alerting IT is a vital capability, as it ensures that a human can swiftly permit the right people to gain access in support of the primary mission: meeting patient needs. For example, an IT team can determine whether a quarantine alert is simply a biomedical technician attempting to connect a new patient device or a suspicious activity that merits further investigation.

Step 2. Know the role of each user, device and thing

Controlling IoT access to a network requires controlling both the devices and the humans who connect them. To determine what type of access to give a person or an IoT device, it’s not as important to know what each one is as it is to understand what they do. In other words, it requires understanding the business aspect of why a person or device is seeking network access.

This may seem like a no-brainer, but it needs to be emphasized because a significant number of health care IT and facilities professionals are hired from outside the field. It’s important for organizations that fall under this category to work with their business counterparts to understand the role each connected user or device plays.

For example, IoT-enabled, smart hand-washing stations track clinician compliance with organizational hygiene policies. The data these stations collect is critical to tracing and mitigating infection sources before they become a hazard to patients or put an organization at risk.

On the staff safety side, an increasing number of building security systems include a smartphone-enabled duress app. This empowers clinicians to request assistance with a single touch.

Clearly, each of these IoT connection types requires the right role to ensure smooth, seamless and always-on network access.

Step 3. Infuse real-time intelligence to detect subtle changes

Security experts agree. No matter how well wired and wireless network are secured, threats eventually will find their way in. In fact, recent reports show that more than two-thirds of breaches actually involve internal actors rather than external forces.

That’s why the most advanced defenses now include sophisticated analytics and artificial intelligence (AI)-based machine learning. Such solutions spot changes in user or device behavior that often indicates that an invader has evaded perimeter defenses, whether originating from inside or out.

So, if a smart hand-washing station tries to masquerade as a duress app, an AI-infused access control solution can detect this behavior faster than humanly possible and immediately deny network access while notifying both the appropriate IT staffer and facilities manager.

An even more advanced solution provides clear, understandable feedback to anyone attempting to use the compromised statio, such as sending a text message to a station’s potential user to redirect the person to an operational unit.

Step 4. Insist that your vendors improve device security

Historically, medical and facilities device vendors have focused on engineering their products to address health care and building needs with less, or no, regard for the security implications. Consequently, most are still well below IT networking standards, such as supporting the ability to utilize and store encryption keys on the device.

This is where you, the IoT-enabled device purchaser, comes in. By insisting that vendors place networking best-practice security protocols on their development road maps prior to making the investment, it will challenge them to improve their solutions to earn more business.

In some cases, health care organizations may even be able to share with prospective vendors why they’ve selected a competing product.

The sooner users start insisting that IoT device manufacturers comply with security expectations, the faster we’ll see solutions to match.

Step 5. Change default credentials and passwords

Despite the fact that most high-profile IoT-related breaches to date have resulted from failing to change default credentials, it’s surprising how often we still encounter organizations that permit devices to connect via manufacturer-supplied user names and passwords.

Although many vendors now embed options that are more unique than classic “admin” and “password” defaults, know that all factory settings are documented — to enable users to receive help remediating a device — and, therefore, are easily found on the internet.

However, this doesn’t require creating a unique user name and password for every single infusion pump or door lock. Instead, assign need role-based credentials that follow today’s recommendations for character combinations and length. This allows one set of credentials for all infusion pumps or other medical device types.

Additionally, only employees with the correct role, based on their login credentials and the device’s role, should be permitted to access device settings, all of which are then monitored by the sophisticated access control solutions already addressed.

Step 6. Remember, cybersecurity is really about people

No matter what technologies are adopted for securing IoT, people remain the most important priority. All of the sophisticated systems in the world won’t protect a network if someone places the credentials for a device on the unit itself or hangs a list of passwords on the wall in his or her office.

Most of the time, inadequate practices result from insufficient understanding. This makes training on IoT device security policies critical, as well as requiring regular review or recertification, for all staff members across all departments. Strict enforcement of security protocols is also key.

When training, one of the most important tips to give employees is to create prompts for passwords based on something they know, but others will not, and record only the prompt where it’s accessible. For example, the prompt “fishing trip” could relate to the password “B$gH0rnMTo9^2o^16.”

Once employees have created their lists of prompts and associated passwords, make sure they lock lists containing passwords in a drawer and never, ever, discuss them — either at or outside of work. Of course, they can keep their prompt lists handy for efficiency.

Step 7: Reassess and revise

Regardless of how thorough an IT department is at creating a comprehensive IoT security strategy, it should never be considered “complete.” Instead, the most secure organizations are those that continue to evolve their practices as new tools and recommendations emerge.

This doesn’t mean becoming a cybersecurity guru. Instead, savvy professionals leverage trusted resources to learn about the latest best practices and options. Simultaneously, they regularly scan their organizations for ways to improve.

Rick Reid is the health care solutions marketing manager at Aruba, a Hewlett Packard Enterprise company.