Can healthcare tackle IoT, medical device security challenges?

A large hospital can leverage thousands of connected medical devices, but locating and securing those vulnerable endpoints is an ongoing challenge for all providers. (Photo by Hristo Rusev/Getty Images)

Medical device risks are well documented and industry stakeholders agree that awareness around the importance of securing IoT and device infrastructure is at an all-time high. That said, progress on reducing these longstanding vulnerabilities and security gaps remains an uphill battle.

How then can the healthcare sector move past the awareness stage to make an actionable difference? Much like the complexity of the device infrastructure, the answer to medical device security is equally intangible.

At ViVE, Richard Staynings, chief security strategist for Cylera, explained that it boils down to the need to prioritize cybersecurity, supported by much-needed regulation and investments in security tools. Though some may scoff at the feasibility of regulation, “it gives people the kick in the backside to say, ‘Hang on, this is something we absolutely have to do.’”

Like most problems in healthcare cybersecurity, vendor noise is also becoming a nuisance by creating an environment of fear, uncertainty and doubt. Staynings explained there’s a serious need to stop with the “sky is falling” methodology and pushing their “solutions” or tools as a fix-all.

In reality, healthcare entities need to get back to the basics, understanding and quantifying the risks and vulnerabilities surrounding devices. Staynings noted there are static lists of known vulnerabilities, as well as vendor-generated reports on security flaws found as a result of their work on other hospital systems and a real-time approach to analyzing network risks. 

“It’s almost impossible to resolve all of the vulnerabilities and all of the risks that are present across your entire medical device ecosystem,” he added. Instead, the goal should be to prioritize those with the greatest potential to impact patients and put into place compensating controls like micro segmentation, while working with vendors to get needed patches.

In short, providers should be certain they’re aware of medical device risks, what assets connect to their network, and the “magnitude of the risks of each of those device types that attach to their network.” Only then can providers prioritize patching and tackle the issue bit-by-bit.

It’s not an easy problem to solve, but putting the right technologies in place that support strong asset inventory, “rather than a manual spreadsheet, which is inherently out of date,” can drive security improvements across the enterprise.

The other side of the coin is that vendors need to understand the risks in their devices, actively looking for vulnerabilities and making patches quickly available to providers to address known issues.

Making the right investments

“The big issue with healthcare is every dollar you spend on security is not being spent on patient care,” he added. That means provider organizations need to answer tough questions on whether failing to invest in needed measures is a disservice to patients by “denying or delaying a service to them because of lack of funds.”

More importantly, are the lack of security investments putting patients’ lives at risk by “subjecting them to undue patient-safety risks as a result of inadequate cybersecurity controls? And that’s an equation of balance that I think the profession needs to get a better grip with,” said Staynings.

Christian Dameff, MD, an emergency room physician at the University of California San Diego Health, shared similar sentiments at Infosec World in November, noting that even when hospitals invest further in cybersecurity, the funds aren’t used for key items that would actually reduce patient-safety risks. 

As it stands, far too many hospitals have poured “major outlays of cash” on “pork barrel projects,” said Staynings. Though high profile, with many obtaining the desired high-level of support, these projects end up “distracting the organization from clinical or cyber risks that they need to be concerned about.” 

“It’s about understanding that balance and looking at the holistic approach,” he added. Because, without tangible assessments to direct investments at the risks most pressing to patients, even those entities making investments in security are failing to use those funds in ways that would actually improve risk posture.

The investment challenges facing security are just a small part of the overall efficiency issues seen across the healthcare system. The sector has implemented some of the most innovative technologies across all sectors, and yet “40% of the population don’t have access to health services,” said Staynings.

“We’ve developed a Baroque system of healthcare in this country that really started after the second World War,” he continued. “We’ve never really sat down structurally and designed it for the 21st century. We spend far too much money on healthcare here. And we have the most expensive healthcare in the world, and some of the worst patient outcomes.”

To move forward, there’s a need to tailor the cybersecurity specific budget portion, including use of automation and an overall consolidation of vendors, explained Staynings. There’s an overwhelming need for healthcare leaders to be smarter about purchasing decisions and prioritization of funds.

Healthcare entities wondering how to prioritize should lean on free resources like the NIST Cybersecurity Framework for a holistic approach to the problem. These insights can confirm to providers that they’re “not spending all of their money on the world’s most impregnable front door,” said Staynings.

Ideally, it would also allow for leftover funds to “put window locks on the building and to make sure the rattly lock on the back door is replaced,” he added.

Communicating security ROI to the board

While difficult, it’s possible. Staynings took note of the success story at Children’s National Health System. The former chief information officer surveyed click rates across the hospital, then coordinated the findings with the ongoing security, education, training, and awareness programs, which demonstrated security ROI to the board.

The program and needed investments were effective because the entire hospital workforce was aware of the problem. Employees didn’t “click on attachments, they didn’t open up emails from unknown senders, they didn’t go to [questionable] URLs,” he explained. “The threats that the hospital were exposed to were considerably reduced.”

The program is a success story for how to demonstrate to executive leadership the “direct correlation between risk and investments.” To Staynings, this type of communication and overall culture building can translate to how those in the cybersecurity space can improve current methods — and struggles — with attempting to obtain needed investments.

At the end of the day, security leaders must show the value of investments to those in decision-making positions to demonstrate the value of security across the enterprise.

“It comes down to a structured approach,” said Staynings. Providers need to look at all available risks and be able to quantify it, then automate the remediation of those risks. “We’ve got AI out there, we’ve got machine learning out there. We can use these tools for the next generation of security and medical applications to make our lives easier.”

“It’s a slow journey. We’re not there yet by a longshot, and there are a lot of setbacks,” he concluded. “We’re trying to progress, and go back to fix a lot of these problems, at the same time we’re layering on new technologies.” With new requirements for interoperability, we’re continually moving barriers. It’s a question of maintaining focus on some of the small things.”