Healthcare Security in an ‘Internet of Things’ World

January 7, 2016 conduentblogs

By Ken Bradberry

Ken Bradberry
“I look to influence new technologies … as well as identify potential risks to healthcare.” – Ken Bradberry, chief technology officer, Commercial Healthcare.

The Internet of Things, or IoT, could very well become the “Internet of Stings,” if you lack a well-designed security program.  It’s a fun play on words, but getting stung by a security breach is becoming all too common in an increasingly hostile Internet environment.

One summer I accidentally ran into a beehive, sending a mass of uncontrollable and ill-tempered bees everywhere. It was a lot like how a security breach can disrupt your business, healthcare operation, community and even your household.  The Internet of Things has the potential to increase the threat to healthcare operations to an exponential level.

The Internet of Things refers to the ever-growing network of physical objects that feature an IP address for Internet connectivity.  These objects or “things” can include appliances, wearable devices, sensors as well as medical devices and equipment. Their IP addresses allow them  to communicate with other Internet-enabled devices and systems.   Intelligent modules that can be installed in an almost infinite number of ways have proliferated. These devices can offer interactive functionality and collect and stream a variety of data depending on the type of device.

In a recent Forbes article, “Top 10 Healthcare Predictions for 2016,” Frost & Sullivan experts and thought leaders made this prediction:

“Healthcare IoT solutions spur $10 billion in venture capital investments for start-ups

“The startup environment in healthcare is being reinvigorated by a wide spectrum of early stage companies looking to bring their IoT expertise honed in other industries to healthcare. With a focus on “disruptive” business models, these companies are looking to help tear down outmoded forms of care delivery and deploy approaches optimizing new tools and technologies.”

The Beehives that Lurk in Healthcare IT Networks

As a healthcare CTO, I look to influence new technologies, determine how to implement and develop interoperability architectures, as well as identify potential risks to healthcare.  One of our responsibilities in healthcare IT is protecting the patient’s information; Electronic Personal Health Information has been my focus since deploying the first electronic medical record systems for hospitals. Patients’ personal health information continues to be a primary design issue today.

The Internet of Things actually has been happening in hospitals for years. For example, smart patient rooms connect the patient and family to the caregivers, electronic medical records and other cloud-based resources.  Networking new devices is an ongoing initiative at most healthcare organizations.  However, interoperability can be difficult and can expose a network to new security vulnerabilities and additional risk.

One example was the push for clinical engineering departments that manage the wide variety of medical devices, such as smart infusion pumps or portable patient monitoring devices.  The challenge is to securely deploy devices that have just enough intelligence to be useful, with little to no enterprise management capabilities.

Our beehive grew when the “Bring Your own Device” (BYoD) evolution brought unmanaged devices accessing e-mail and other applications onto our networks. More than simple enterprise messaging, healthcare IT departments are challenged to secure smartphone operating systems, and ensure that network and personal health information are protected.

The BYoD devices are now a small part of the potential inventory of nodes that can be networked with Internet of Things. These devices represent an immense target for attack. These points of access must be managed, protected — and protected against.  Because we cannot control the quality of the operating systems or the code that runs these devices, IT organizations must increase their vigilance when allowing these devices to access or extract data.

The Security Breach that Shuts You Down

Consider security breaches that take the form of Distributed Denial of Service Attacks.  There several methods used to launch these attacks, one of more dangerous methods is the use of malicious botnets.  These botnet attacks are caused by a group of computers that run repetitive tasks designed to flood your network with malicious data, causing your network to overload, and performance to degrade or services to shut down all together.  Imagine  a scenario with a million compromised IoT devices. That’s a lot of angry bees.

It appears terrorist groups, like ISIS, engage in hacking of this nature, and at a massive scale according to a recent International Business Times article:

“A smartphone app used by Islamic State (Isis) to spread news and propaganda … was potentially the source of a botnet created to perform a massive DDoS (distributed denial of service) attack on root name servers. A more powerful attack in the future could cause significant disruption to internet services and could even temporarily take down the internet.”

Protecting your organization against a compromised Internet of Things will require innovative approaches. But it’s also critical that we get the basics down cold. Reducing your network attack surface, and ensuring your organization has a well-designed and thoughtful security strategy is essential.

The smart information security chief knows that the “beehives” on the network are here to stay. It’s really a question of assuring our networks run automated workflows, give us quick access to critical information, and more.  This is accomplished with enforceable security policies and monitoring solutions that focus on vulnerabilities, configuration assessments, malware defenses, as well as activity and event monitoring.

Subscribe to this blog and receive email updates when we publish a new article.

About the Author


Previous Article
Design an Effective Learning Strategy
Design an Effective Learning Strategy

7 vital questions that define whether your learning strategy supports your organization’s goals.

Next Article
Our 2016 Resolutions for eDiscovery, Part 1
Our 2016 Resolutions for eDiscovery, Part 1

As we welcome the new year, it’s time for many of us to make resolutions. After consulting our crystal ball...