- The Internet of Things (IoT) is quickly becoming integrated into the daily operations of numerous organizations, which means that entities need to keep IoT security a top priority, according to the US Computer Emergency Readiness Team (US-CERT).
Large segments of connected devices, sensors, or tags (i.e., labels or chips that automatically track objects) can be infected at one time, with unauthorized users accessing the information on those devices. Other computers could also be attacked through a botnet, US-CERT explained in a recent Security Tip release.
“This technology provides a level of convenience to our lives, but it requires that we share more information than ever,” US-CERT cautioned. “The security of this information, and the security of these devices, is not always guaranteed. Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones.”
IoT security can be improved by following a few key steps, the agency explained, which include the following:
- Evaluate your security settings
- Ensure you have up-to-date software
- Connect carefully
- Use strong passwords
Each of these steps can be applicable to healthcare IoT security as well. For example, US-CERT’s first best practice is for organizations to evaluate their security settings.
“Most devices offer a variety of features that you can tailor to meet your needs and requirements,” US-CERT stated. “Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk.”
With healthcare, this could be true in connected medical devices or mobile devices. Covered organizations should not “Frankenstein” medical devices, which could open create potential vulnerabilities. Furthermore, default security settings on mobile devices could be less secure.
OCR underlined this issue in its October 2017 Cybersecurity Newsletter, explaining that Wi-Fi, Bluetooth, cloud storage, or file sharing network services may be unsecured in their default setting.
“Access to information on mobile devices need not be limited to nefarious actions by malicious software, but could also originate from more mundane applications,” OCR said. “A seemingly innocuous mobile app or game could access your contacts, pictures or other information on your mobile device and send such data to an external entity without your knowledge.”
US-CERT’s second step urges organizations to have up-to-date software, which is also something that healthcare entities must follow. Outdated or unpatched software has been tied to certain malware or ransomware attacks.
The WannaCry ransomware attack from May 2017 targeted older Windows-based operating systems (OS), largely spreading through email attachments and malicious links. Failing to perform updates could leave organizations vulnerable.
Entities must also connect carefully, according to US-CERT.
“Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device,” the Security Tip statement said. Consider whether continuous connectivity to the Internet is needed.”
Earlier this year researchers found that WiFi Protected Access II (WPA2) handshake traffic could potentially be manipulated by attackers within range of vulnerable devices. All WPA2 wireless networking may have been affected, and simply changing the WiFi password was described as not being enough.
“Instead, you should make sure all your devices are updated, and you should also update the firmware of your router,” stated researcher Mathy Vanhoef of the imec-DistriNet group at KU Leuven. “Nevertheless, after updating both your client devices and your router, it's never a bad idea to change the Wi-Fi password.”
That case serves as an example as to why healthcare employees should not connect to open networks, especially if they are using a device that either stores ePHI or is connected to a network with ePHI access.
Finally, US-CERT’s advice of having strong passwords is also extremely necessary for healthcare organizations.
Having weak passwords, or even using the same password for multiple log ins could create security vulnerabilities.
A study published earlier in 2017 found that 73 percent of medical professionals have used another staff member’s password to obtain EHR access at work. Over half of respondents – 57 percent – also said they have borrowed someone else’s password an average of 4.75 times.
The study also found that 100 percent of medical residents said they obtained another medical staff member’s password with their consent.
“Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another,” researchers explained. “Strict regulations requiring each staff member to have it’s a unique user ID might lead to password sharing and to a decrease in data safety.”
Healthcare IoT security is exceedingly critical, especially as more providers are becoming interconnected. Entities must maintain strong cyber hygiene and ensure employees at all levels are properly trained on IoT security best practices.