Vinay Sridhara
Healthcare organizations must keep watch over IoT devices – COVID-19 tracing apps and other medical devices at risk
October 09, 2020
By Dr. Vinay Sridhara
Few technology trends are growing as fast as the Internet of Things or IoT, but incredible IoT growth can also represent an organization’s worst cybersecurity nightmare if not properly handled. In fact, many organizations that utilize IoT devices are finding they may not have the necessary security measures in place to monitor for device vulnerabilities and potential breaches. While a recent KPMG survey of 750 tech leaders predicts that IoT will lead to the next indispensable technology, a Ponemon Institute and Shared Assessments survey suggests that 76% of risk professionals believe that cyber-attacks are likely to be executed through an organization’s IoT devices.
When it comes to medical IoT devices, the consequences are especially chilling for both patients and healthcare professionals. Simply put – more connected medical devices mean more attack vectors and greater exposure to attack.
Current use of healthcare IoT devices
IoT devices can communicate with each other, and can be remotely monitored and controlled. The healthcare industry has benefitted from IoT technology, allowing for better connectivity between medical personnel and their patients via sensors, wearables, and even equipment like wheelchairs and oxygen pumps.
Recently, we have seen an increase in attacks on these devices from rogue hackers and bots. According to the 2020 IoT Threat Report from Palo Alto Networks' Unit 42 threat security team, "as many as 83% of Internet-connected medical imaging devices are vulnerable. Many medical devices run legacy appliances and software, causing them to be out of date and thus more susceptible to attackers to exploit vulnerabilities.
Protecting IoT devices
While medical connectivity is a must in today’s world, healthcare organizations need to ensure they are protecting ALL of their IT assets, including IoT devices. Specifically, this means organizations must implement security solutions that scan and monitor their owned and managed IT assets and all third-party systems to detect vulnerabilities that could be exploited.
To properly defend tens or hundreds of thousands of assets, of all types, across hundreds of different attack vectors, an organization must be able to gather data from a wide variety of assets continuously. The problem is that IoT devices are not always tracked by traditional cybersecurity tools and are either left undiscovered or partially tracked by a collection of standalone tools.
How to maintain an accurate inventory of IT assets
Maintaining an up-to-date enterprise inventory system is very challenging. Enterprise assets frequently change with added and retired devices, physical machines migrating to virtual and various stakeholders constantly installing and updating software. Inaccurate inventory makes managing compliance and cyber-risk very difficult. Knowing what you are protecting is the first critical step in IoT security.
Modern tools can help with this issue and deliver relevance as they understand every detail of usage, configuration, and posture of assets in a network. Such tools can also measure the overall security posture of devices, ensuring that the riskiest and most critical assets are prioritized.
With proper tools in place, IT pros can practice the following steps that will allow them to have a close watch over IoT devices:
o Analyze the entire attack surface and calculate the business risk for every asset across the enterprise
o Identify vulnerabilities and risk across a broad set of 100+ attack vectors for all types of assets, including IoT
o Prioritize based on business criticality and other factors such as vulnerabilities, active threats, and your existing security controls
o Address and mitigate any possibility for cyberattacks preemptively with prescriptive fixes
IoT security is still a work in progress. Still, the more health organizations can have a holistic view of their assets, the better prepared they can be to handle the increasing numbers of attack vectors for traditional, cloud, mobile, and IoT assets. As IoT evolves, healthcare organizations can deliver great societal value, harnessing its power while carefully managing their implementation and ongoing cybersecurity.
About the author: Dr. Vinay Sridhara is the chief technology officer for Balbix.
Few technology trends are growing as fast as the Internet of Things or IoT, but incredible IoT growth can also represent an organization’s worst cybersecurity nightmare if not properly handled. In fact, many organizations that utilize IoT devices are finding they may not have the necessary security measures in place to monitor for device vulnerabilities and potential breaches. While a recent KPMG survey of 750 tech leaders predicts that IoT will lead to the next indispensable technology, a Ponemon Institute and Shared Assessments survey suggests that 76% of risk professionals believe that cyber-attacks are likely to be executed through an organization’s IoT devices.
When it comes to medical IoT devices, the consequences are especially chilling for both patients and healthcare professionals. Simply put – more connected medical devices mean more attack vectors and greater exposure to attack.
Current use of healthcare IoT devices
IoT devices can communicate with each other, and can be remotely monitored and controlled. The healthcare industry has benefitted from IoT technology, allowing for better connectivity between medical personnel and their patients via sensors, wearables, and even equipment like wheelchairs and oxygen pumps.
Recently, we have seen an increase in attacks on these devices from rogue hackers and bots. According to the 2020 IoT Threat Report from Palo Alto Networks' Unit 42 threat security team, "as many as 83% of Internet-connected medical imaging devices are vulnerable. Many medical devices run legacy appliances and software, causing them to be out of date and thus more susceptible to attackers to exploit vulnerabilities.
Protecting IoT devices
While medical connectivity is a must in today’s world, healthcare organizations need to ensure they are protecting ALL of their IT assets, including IoT devices. Specifically, this means organizations must implement security solutions that scan and monitor their owned and managed IT assets and all third-party systems to detect vulnerabilities that could be exploited.
To properly defend tens or hundreds of thousands of assets, of all types, across hundreds of different attack vectors, an organization must be able to gather data from a wide variety of assets continuously. The problem is that IoT devices are not always tracked by traditional cybersecurity tools and are either left undiscovered or partially tracked by a collection of standalone tools.
How to maintain an accurate inventory of IT assets
Maintaining an up-to-date enterprise inventory system is very challenging. Enterprise assets frequently change with added and retired devices, physical machines migrating to virtual and various stakeholders constantly installing and updating software. Inaccurate inventory makes managing compliance and cyber-risk very difficult. Knowing what you are protecting is the first critical step in IoT security.
Modern tools can help with this issue and deliver relevance as they understand every detail of usage, configuration, and posture of assets in a network. Such tools can also measure the overall security posture of devices, ensuring that the riskiest and most critical assets are prioritized.
With proper tools in place, IT pros can practice the following steps that will allow them to have a close watch over IoT devices:
o Analyze the entire attack surface and calculate the business risk for every asset across the enterprise
o Identify vulnerabilities and risk across a broad set of 100+ attack vectors for all types of assets, including IoT
o Prioritize based on business criticality and other factors such as vulnerabilities, active threats, and your existing security controls
o Address and mitigate any possibility for cyberattacks preemptively with prescriptive fixes
IoT security is still a work in progress. Still, the more health organizations can have a holistic view of their assets, the better prepared they can be to handle the increasing numbers of attack vectors for traditional, cloud, mobile, and IoT assets. As IoT evolves, healthcare organizations can deliver great societal value, harnessing its power while carefully managing their implementation and ongoing cybersecurity.
About the author: Dr. Vinay Sridhara is the chief technology officer for Balbix.