- We oftentimes start these security articles with trends, an overview of what happened, and maybe a recent event revolving around cloud security or healthcare data security. The reality is that security has morphed into an ever-changing threat dynamic taking aim at services, users, applications, and now much more.
We’ve seen massive data breaches, lost physical devices, and malicious acts carried out by individuals and even nation states. But let’s point out one incident which happened very recently, one that really shines a light into what the future security landscape might look like.
On October 21, 2016, we experienced the single-most impactful DDoS attack ever recorded in history. The attack, regarded as extraordinary, measured roughly 1.2Tbps in strength as it took aim at Dyn DNS services across the entire world.
The attack was more than twice as large as any previously recorded DDoS attempt. What made this special? The attack source.
IoT devices – about 100,000 of them – generated a massive volume of attack traffic. These were CCTV installations, refrigerators, and other IoT-enabled devices.
This is our future, where the attack vector will range from IoT devices, to physical security threats – like drones.
Cloud services will have similar threat challenges. We know that this technology will only continue to pick up as more organizations find more use-cases. However, even with growing cloud security, it’s all about how we secure our workloads that will make all the difference.
Gartner recently stated that through 2020, 95 percent of cloud security failures will be the customer's fault. That means the cloud will be inherently secure, but our configurations and workloads will be at risk.
That said, it’s important to examine all of the new types of devices and technologies connecting into your healthcare ecosystem. And, most of all, understanding how to prepare for an IoT-connected healthcare world will help with patient services and improve security.
Let’s examine five key steps to securing your IoT healthcare strategy:
What is your “connected” thing?
There’s not enough article space here to define all of the different types of connected devices out there. However, what are you using? Or, what are you planning on using? Are these Bluetooth beacon devices? Maybe they’re connected bracelets? We’re seeing more applications for connected devices helping with workstations-on-wheels and even patient services. And, more tech is being developed daily. For example, a new wearable tech company, Recovery Force, just got FDA clearance to market its new Active Compressions IoT device. Basically, an intelligent device that helps prevent blood clots and improves poor blood circulation. No hoses, no motors, no pumps, no noise, and no power cords. This same organization already has other technologies addressing key needs of endurance athletes, consumer pain, and even elite war fighters who need to recovery faster. This is the future of healthcare – with devices which are smaller, smarter, and a lot more useful. The big point here is to identify the types of devices you’re using, and even work to forecast other devices you plan on bringing into your ecosystem.
What data is it creating or using?
OK, at this point you know which devices you have within your network and how they can help. Now, it’s critical to understand what type of data these devices create, where it’s being stored, and potentially – which data points the devices might be requesting access to. Don’t settle for default settings. It’s critical to understand the flow of data and how it’s all passing through your network. You can absolutely create secure wireless connection points that are isolated for IoT devices. If your device houses sensitive information, track the device at all times. The last thing you want is a key piece of equipment “walking” away. Take the time to truly understand all of your connected devices and how they interact with the data in your healthcare environment. Also, take the time to know what type of data the device creates and what it needs access to.
Where is the data being stored and who has access?
Similar to the previous point, you can create powerful silos of data specifically designed for your IoT devices. You can create customized storage zones and repositories ensuring very granular policies. For example, ensuring that shared device data never leaves a city, region, or even a specific hospital. IoT data can be benign and simple, or it can be very complex and have specific patient details. As you work with this information, make sure to contextually control access into the data. This means understanding user groups, location-based access, and advanced user rights. There are great ways to control the flow of information from your devices. Furthermore, wireless access technologies and security systems now have beaconing and device tracking capabilities. For example, the Cisco Meraki platform can set up advanced Bluetooth beacons that help track connected devices throughout the entire facility. Look for systems which can help you track and control the physical movement of devices, and the data they leverage.
How are users, employees, or associates interacting with the data and the connected thing?
Honestly, this should probably be the first item in the list. How will users, patients, or associates be interacting with your device? Know their habits, how they’ll use the IoT tool, and where there are gaps in the process. Once you understand user interaction, you can design around security. Most of all – you’ll be able to also design around user experience. Yes, you want to lock down the device and the data it uses. However, you don’t want to create a highly negative user experience either. You can be as secure as you like, but if you create poor user experiences, no one will use your IoT devices. Worse yet, you might create security gaps. Learn your users, their behaviors, and how they’ll be using the IoT device. From there, build your device security strategy.
How much visibility do you have into your connected things? What about management?
It’s simple – you can’t manage what you can’t see. Constant visibility into your connected devices will be a must. The last thing you’d want is IoT-sprawl. That’s right, there will be a point where you’ll be hearing that phrase more often. For now, create a good visibility and management ecosystem for your connected devices. Using an earlier example, systems like Meraki not only track certain types of devices within your ecosystem, they’ll also let you know when they’re about to walk out the front door. The point isn’t for your IT admins or security professionals to constantly monitor the screen. Rather, set up proactive alerts and monitors to allow your security infrastructure to work for you.
Challenges around security aren’t going anywhere. But, that shouldn’t stop you from innovating and creating improved healthcare services. In fact, the future of advanced patient services revolves around technology and our abilities to respond faster. However, in creating a security strategy, simply make sure you account for all of the connected devices within your network.
There are powerful mechanisms that will help you with constant vulnerability testing, ensuring your devices are up-to-date, and even spotting rogue devices within the ecosystem. This includes IoT devices.
Finally, work with good partners who can help you visualize your network ecosystem and all of the devices connecting into it. From there, lock down your data points and continue to test against vulnerabilities. IoT will be a powerful tool for healthcare, just make sure to wrap good security policies around the entire strategy.