HC3 Provides Tips For Maintaining IoT Security in Healthcare

August 09, 2022 - In its latest analyst note, the HHS Health Sector Cybersecurity Coordination Center (HC3) outlined internet of things (IoT) security risks and mitigation tactics.

“Today, there are about 7 billion devices connected through IoT and it has been estimated that devices using this technology will increase 20 billion more by 2025. While IoT has existed for a while, advancements in technology have made it more practical and accessible,” HC3 explained.

As healthcare becomes increasingly interconnected, IoT devices have become crucial to workflows and functionality. But with those improvements come significant security risks. A recent SonicWall report observed a 123% spike in IoT malware attack volume in healthcare.

Any internet-connected device has the potential to be vulnerable to cyberattacks, the note emphasized.

“Additionally, adding IoT to an organization can increase the attack surface on which a company can be vulnerable if the network isn’t sectioned off into secure zones,” HC3 continued.

“Like all objects connected to the internet there are ways to help secure these devices ranging from good physical security and ensuring the firmware is updated regularly.”

Common IoT attack types include distributed denial-of-service (DDoS) attacks, man-in-the-middle attacks, and brute-force attacks.

DDoS attacks can flood a victim’s network with traffic, rendering network resources unusable and providing a distraction so threat actors can deploy malware elsewhere on their victim’s network. MITM attacks involve an attacker intercepting information being sent between two parties and using that information to steal or alter data.

Eavesdropping attacks rely on unsecured network communications and occur when an attacker deletes, intercepts, or modifies data transmitted between devices. Threat actors also have been known to execute brute-force attacks to gain network access when IoT device passwords are left unchanged.

HC3 provided numerous tips and tactics for security IoT devices, which will ultimately help organizations secure their entire system. The analyst note first recommended that organizations change default router settings.

“Most people do not rename their router and keep the manufacturer’s default settings,” the note explained.

“Make sure to change the privacy and security settings on new devices. Those settings typically benefit manufacturers more than the user.”

Additionally, organizations should always pick strong and unique passwords for each device and keep software and firmware updated by fixing new vulnerabilities as they emerge. HC3 also urged organizations to avoid using Universal Pug and Play (UPnP) since it makes it easier to network devices without additional configuration.

Organizations were also strongly encouraged to implement a zero trust security model, which assumes that nothing in or outside of the network can be trusted. Zero trust models can be extremely effective once administrators are able to limit the amount of people who require access to certain resources.

Lastly, HC3 urged healthcare organizations to implement network segmentation to prevent the spread of malware and to isolate IoT devices from other IT equipment.