- Policymakers, managers, and standards participants need to be properly informed and enabled to develop and use cybersecurity standards in IoT components, systems, and services, according to a NIST workgroup. Health IoT security and four other areas are key components discussed in a recent draft version of a report to guide approaches to IoT application.
The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in 2015 “to coordinate on major issues in international cybersecurity standardization and thereby enhance U.S. federal agency participation in international cybersecurity standardization,” NIST explained on its website.
The draft report describes several IoT applications that are representative examples of IoT and also explains IoT cybersecurity objectives, risks, and threats.
“The proliferation and increased ubiquity of IoT components and systems are likely to heighten the risks they present,” report authors wrote. “Standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications.”
“Through analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address popup network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.”
Along with health IoT security, IICS WG also reviewed connected vehicle (CV) IoT, consumer IoT, smart building IoT, and smart manufacturing IoT.
The Work Group explained that health IT security rely on controls that ensure “confidentiality, integrity, and availability of patient information.” The systems supporting the use and exchange of that information must also be properly secured.
For health IoT specifically, patient privacy and cybersecurity safety threats need to remain a top priority.
“Medical devices and the IT networks they connect to are unique,” report authors stated. “In addition to data security and privacy impacts, patients may be physically affected (i.e., illness, injury, death) by cybersecurity threats and vulnerabilities of medical devices. This harm may stem from the performance of the device itself, impeded hospital operations, or the inability to deliver care.”
For example, failing to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in legacy devices can create confidentiality, integrity, availability, and patient safety risks.
There are numerous challenges though in health IoT security, such as manufacturers facing an economic penalty for ongoing cyberthreat management during a product’s lifetime.
The Work Group also highlighted the following challenges for health IoT security:
- The delivery of prompt secure and authenticated firmware and software updates to fielded systems
- The incorrect deployment of a device system which does not optimally utilize the features available in device systems
- Funding shortages which permit unsupported devices to remain in service
- The unauthorized access and modification of patient identifiable information including protected health information.
Report authors explained that restricting logical access to the network and network activity is one key way to improve IoT security for numerous areas.
Restricting physical access to IoT network and components, protecting individual IoT components from exploitation, and preventing unauthorized modification of data will also be essential. Entities can also work toward detecting security events and incidents and maintaining functionality during adverse conditions.
Finally, recovery is also a key aspect to IoT security, the Work Group maintained.
“Incidents are inevitable and an incident response plan is essential,” report authors said. “A major characteristic of a good security program is how quickly IoT system can be recovered after an incident has occurred.”
The Work Group best practices toward improving IoT security also align with key steps the US Computer Emergency Readiness Team (US-CERT) released in 2017.
Evaluating security settings, having up-to-date software, connecting carefully, and utilizing strong passwords will all be essential for organizations having strong IoT security measures, US-CERT explained.
“Most devices offer a variety of features that you can tailor to meet your needs and requirements,” US-CERT said. “Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk.”
For healthcare IoT security, monitoring the types of connections is crucial for connected medical devices. Default settings for Wi-Fi, Bluetooth, cloud storage, or file sharing network services could impact device security.
Current software was also a key factor in the 2017 WannaCry ransomware attack, where older Windows-based operating systems (OS) were impacted.
A HITRUST investigation also determined that MedRad (Bayer), Siemens, and other unnamed medical devices were infected in the WannaCry incident. Additionally, Indicators of Compromise (IOCs) “were identified within the HITRUST Enhanced IOC program well in advance of last Friday’s attacks.”
Healthcare organizations need to maintain IoT security as they implement and utilize new technologies. Connected medical devices and other tools can benefit patient care and improve workflow, but lackluster security measures could lead to data breaches or even hinder patient safety.