[BreachExchange] Keeping Patient Information Secure When Implementing IoT
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Mar 14 19:21:05 EDT 2016
http://www.healthitoutcomes.com/doc/keeping-patient-information-secure-when-implementing-iot-0001
Executive Summary
Healthcare is quickly becoming one of the leaders of Internet of Things
(IoT) technology due to the wide assortment of connected medical devices.
According to research conducted by MarketResearch.com, the healthcare
segment of the IoT will be a $117 billion industry by 2020.1While IoT may
seem like a great benefit to the world of healthcare it does not come
without its own problems.
One of the biggest IoT problems is security and, as a result, the FBI
issued a statement concerning the vulnerability of healthcare IoT devices.2
Without a focus on security, the implementation of each additional IoT
device increases the risk of a malicious attack which could cost healthcare
organizations millions of dollars in fines and lost revenue.
There are several steps organizations need to take to improve the security
of both their devices and network to prevent malicious attacks. Many of
these steps are simple to implement and will greatly impact security.
Healthcare organizations and equipment manufacturers would benefit to take
the extra time to ensure they take every precaution available to ensure
their devices are secure and prevent malicious intrusions.
IoT And Healthcare
IoT brings connectivity and new features to devices that were not
previously connected allowing for a new paradigm within the technology
sector as it allows devices to generate data and be controlled like never
before. IoT is destined to be a major force in the world of healthcare as
there is a wide assortment of devices utilized throughout the industry that
can be outfitted with smart technology from bandages to pace makers.
IoT will be a major driver for change and growth throughout the industry as
it will change the way practitioners care for their patients. IoT is also
expected to be a major expense for organizations as research firm
MarketResearch.com predicts that the healthcare segment of IoT will be
valued at over $117 billion by 2020.1
The Importance of Security
Security of information is an important business aspect for companies
operating in every industry. Information security is especially important
to organizations operating within healthcare due to the sensitivity and
value of patient data. Healthcare organizations have a large amount of
information about their customers including payment information, social
security numbers, home address, and potentially much more. This means that
healthcare organizations have more information on their customers than
virtually any other industry.
Due to the sensitivity of this data, there are a large number of
regulations involved. One of the biggest regulations is the HIPAA Breach
Notification Rule stating that any patient information breach that includes
the information of over 500 customers must be reported to media outlets and
the state secretary within 60 days. This can greatly tarnish the
organization’s reputation in addition to the ensuing financial
repercussions.
One of the most well known healthcare data breaches came in January of 2015
with the breach of Anthem Blue Cross Blue Shield. This breach was enormous
in nature as it featured the information of up to 80 million current and
former members of Anthem health plans. There was a large amount of
information obtained by the hackers including victims’ names, dates of
birth, Social Security numbers, healthcare ID numbers, home addresses,
employment information, and income data.3
Data breaches can also affect smaller institutions such as hospitals as
well. University of Washington Medicine recently settled with The U.S.
Department of Health and Human Services for a data breach that occurred in
2013 of over 90,000 patients. The settlement cost University of Washington
Medicine $750,000 in addition to harming its reputation.4
While there have not been any documented cases of an attack on a medical
device within a human, several lab tests have proved that IoT devices can
be attacked while operating within a human. Researchers at the University
of South Alabama were recently able to hack both a pacemaker and insulin
pump on a state-of-the-art patient simulator. The students were able to
successfully kill the iStan patient simulator by adjusting the pacemaker
and insulin pump proving that, in the right, situation it would be possible
for a hacker to kill someone by exploiting security loopholes in healthcare
devices.5
Guidelines For Keeping Patient Information Secure
Best Practices
The recommendation of ensuring the utilization of good network security
practices is something that should go without saying but is frequently
overlooked. When designing a network, ensure the implementation of security
best practices throughout the network. This includes the basics such as:
use strong passwords, keep equipment up to date, do not leave unutilized
network drops active, and separate traffic onto different vLANs.
Security Patches
Always make sure devices are kept up to date with the latest security
patches. Typically, when manufacturers become aware of a security loophole
in one of their products, they release a patch that can be easily
downloaded and installed to fix the issue. However, the problem in this
scenario is that many times security patches are either forgotten or
ignored resulting in easy exploits. Typically, hackers learn how to exploit
the loophole from the information published along with the patch. This
makes it especially easy for hackers to compromise a device they find that
is yet to be patched. In addition to staying up to date with security
patches it is critical to not utilize systems that no longer receive
security patches such as Windows XP.
Changing Default Passwords
One of the easiest ways to improve security is to change the default
password. Almost all devices, especially when working with IoT devices,
come with predefined accounts and passwords so the consumer can easily set
up the equipment. However, changing the default password or deleting the
premade account is frequently forgotten resulting in an easy to exploit
loophole. This is problematic as potential hackers can look up the product
documentation online and easily determine the default administrator
credentials intended for initial setup. This allows the hacker to access
anything they want with the device from stored information to adjusting the
equipment to not behave in an intended way.
Disable UPnP On Routers
Another major concern for security comes from Universal Plug and Play
(UPnP). This feature was originally built into network equipment to make it
easier for devices on the same network to discover each other to share
information. While this sounds like a very nice feature to have, it can be
very problematic as it opens devices up to attacks originating over the
internet that take advantage of this standard. Since this is not a feature
that will be frequently utilized in a major corporate environment such as a
hospital, it is best to ensure that UPnP is disabled on all devices to
prevent a potential security loophole.
Isolate IoT Devices On Their Own Networks
Another good practice when implementing IoT devices is to separate all of
these devices onto their own network. This creates an added layer of
security in the event that an IoT device becomes compromised. A large
amount of IoT devices do not contain or transmit important information but
function as an easy access point for attack as many IoT devices do not have
the same level of security that can be found on traditional networked
devices. Segmenting these devices to a separate network means that, even if
an attacker was able to infiltrate a device, they would not be able to see
what information is being transferred among devices on other networks. This
helps to ensure that information stays secure even in the event of an IoT
device being compromised.
Staff Education
One of the most important aspects of network security is to ensure that
Staff is adequately trained to recognize potential threats. Typically,
humans are the weakest link in the system so ensuring they are well
educated is a crucial step toward maintaining network security. A staff
education plan is essential to preventing potential social engineering
problems such as phishing attacks. Clinical staff should also be informed
on how to check for potential security updates on the devices they
frequently utilize and to contact the appropriate staff for applying
updates.
Conclusion
When analyzing network security and implementing IoT devices many of the
steps to improve security are not ground breaking, or even hard to
implement. Many of the best practices are nothing more than crucial steps
to not be overlooked to ensure that every potential exploit is covered.
While there are some more complex methods that can be implemented to ensure
that the network stays secure these recommendations are typically easy and
proven to be effective.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160314/7d925a1d/attachment-0001.html>
More information about the BreachExchange
mailing list