Healthcare Information Security

Cybersecurity News

GAO Finds Information Security, Privacy Key IoT Challenges

A recent GAO report says IoT implementation can bring potential challenges to organizations, including information security and privacy issues.

IoT implementation can bring information security and privacy challenges to organizations.

Source: Thinkstock

By Elizabeth Snell

- The Internet of Things (IoT) is increasingly becoming a popular option for healthcare organizations looking to improve communications and process more data. However, information security and privacy can be key challenges for numerous sectors, according to a recent Government Accountability Office (GAO) report.

Smart devices are being used in more areas, including fitness trackers or in GPS-based devices, GAO explained. These new uses drive the IoT push but there are also potential pain points that cannot be overlooked.

Along with information security and privacy, GAO noted that safety issues, technical standards, and economic issues could all bring possible challenges in the proliferation of IoT devices.

“By leveraging the interconnectedness of a network, the IoT device becomes ‘smart,’ meaning it can create, communicate, aggregate, analyze, or act on information, which can increase its value,” report authors explained. “The idea of connecting objects to a network is not new; however, recent advances in the underlying technologies for the IoT have allowed more objects to become interconnected.”

Technological benefits can include the following:

  • Miniaturized, inexpensive electronics
  • Ubiquitous connectivity
  • Cloud computing
  • Data analytics

READ MORE: Preparing Healthcare Data Security for the IoT Revolution

Information security challenges were the top potential issue GAO noted. A lack of attention in a device’s design process and the increase in cloud computing to provide greater connectivity can pose unique security challenges.

“Unauthorized individuals and organizations may gain access to these devices and use them for potentially malicious purposes, including fraud or sabotage,” report authors pointed out. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified.”

Proper safeguards must be implemented to prevent systems from being vulnerable to malicious threat actors, GAO added.

Denial-of-service (DoS) attacks, Distributed denial-of-service (DDoS) attacks, malware, and zero-day exploits are just some of the threats that organizations may face from insufficient IoT security.

IoT devices must be designed with software update capabilities as well, GAO stated. Citing recommendations from NIST, report authors explained that organizations should identify and correct information security flaws. Additionally they must install software patches and other security updates in a timely manner.

READ MORE: Survey Finds Cloud Security, IoT Security Potentially Lacking

US-CERT has also warned that IoT devices can be used to create networks of devices infected with self-propagating malware, according to GAO.

“US-CERT suggests that users should change default passwords and update IoT devices with security patches as soon as they become available,” report authors maintained. “This type of prevention can be difficult for IoT devices designed without a capability to upgrade software or ones that have to be manually updated.”

For privacy challenges, GAO explained that IoT products must respect consumers’ privacy and not inappropriately collect or misuse their personal information.

“IoT devices can involve extensive collection and analysis of detailed personal information, making it critically important that the privacy of that information is protected,” GAO stated, noting the Fair Information Practices (FIPs) as an accepted set of privacy and security principles.

“With respect to IoT devices, concerns have been raised about notifying individuals how their information may be used and allowing them to choose whether to allow its collection ensuring that once information is collected it will not be retained and used for unrelated purposes, and preventing unauthorized monitoring of individuals by aggregating information about them from multiple IoT data sources.”

READ MORE: IT Security Workers Expect IoT Cybersecurity Attack Increase

In accordance with FIPs, users should be notified of how their information may potentially be used, and then users’ consent must be obtained. However, providing notice and choice is extremely difficult in the highly connected IoT environment, GAO observed. Currently, there is “no consensus on how to resolve the problem.”

Some suggested methods, such as included offering notice and choice at point of sale, require consumers to take extra steps to learn about privacy and security. This “may not effectively reach many of the individuals whose personal information is being collected,” GAO noted.

“As a result, providing adequate notice and consent remains a challenge for many IoT devices and applications,” explained report authors.

Overall, IoT adoption will only continue to evolve and become more ingrained into the daily operations of numerous sectors, including healthcare.

“With the rapid global expansion of IoT, security and privacy measures become increasingly important to curtail its misuse,” GAO explained. “Although there is no single U.S. federal agency that has overall regulatory responsibility for the IoT, various agencies oversee or regulate aspects of the IoT, such as specific sectors, types of devices, or data.”

Entities that are utilizing IoT to reduce cost and improve efficiencies must maintain privacy and security throughout the entire process, report authors concluded. Even as IoT benefits can clearly be seen, the consequential results cannot be forgotten.

“Economic opportunities resulting from the IoT may be accompanied by disruptions that pose challenges to certain businesses and job categories.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks