There have been so many talented people solving problems and finding new and easier ways to do things in healthcare recently and it is amazing! The world of healthcare is full of individuals that are always seeking improvement. How do we reach more patients? How do we make our clinicians’ lives easier? How do we ease this pain? And who among us doesn’t enjoy getting to break out and play with the latest innovations in healthcare? The Internet of Things (IoT) is one of many great additions you can make to your organization. IoT helps your organization be more patient-focused as it makes it easier for your patients to access what they need while also making the care more affordable.
But with each new technology and innovation that we adapt to our organization, there is one truth that we must keep in mind. The internet is a scary place full of security threats and every tiny little change you make to your organization must be coupled with re-working your cybersecurity to stay safe. So to make sure we keep our organization and patient information safe, we reached out to the amazing and beautiful Healthcare IT Today Community to learn more about what security to look into for IoT.
This is what they had to share with all of us.
Scott Stuewe, President and CEO at DirectTrust
As Internet of Things (IoT) devices are connected to systems by way of the Internet, they represent fundamental security risks. If manufacturers don’t pay close attention to how these devices identify themselves and authenticate to systems they connect to, hackers can easily infiltrate systems by impersonating the devices. Once hackers have crossed the threshold through these connections, it is then possible for bad actors to frequently traverse enterprise systems, therefore, exposing sub-systems that may be poorly protected behind a firewall.
Devices provide a special challenge since hackers can often obtain the device they are looking to hack and disassemble it to examine its inner workings. It’s critical that a device manufacturer’s strategy include the fact that their device itself may be hacked and mitigating that risk, or the result could bring dire ramifications to the end user.
Fred Pinkett, Senior Director, Product Management at Security Innovation
Meeting the new FDA requirements for medical device security will take more than just network security, it requires security upgrades in all aspects of systems, including their software. Organizations need an understanding of the regulatory scope, threat landscape, most-exploited device vulnerabilities, and steps to take to increase product cyber resilience.
EHR data is a prime target for cyber attackers, as it includes personal data and medical data that can be resold and used to perpetrate financial fraud, extortion, medical billing fraud, and illicit access to medication. Insecure medical devices can also be exploited to hurt patients and damage institutions.
To keep pace with a constantly changing threat environment and the latest software security developments, companies need real-world insight into the threatscape to give their people the tools, services, and training needed to secure products, analyze code and equip team members. Having an experienced partner who continuously monitors emerging technologies, threats, attacks, and controls is critical to securing medical devices and software.
Lee Barrett, Commission Executive Director at DirectTrust
The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric, and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, hospitals and other provider organizations have exponentially increased the level of connection points, which in turn raises the level of threat vectors and heightens the risk of compromise or breach.
As a result, cybercriminals have been increasing their sinister efforts at finding new points of penetration to gain access to patient data – most notably, when it comes to attacks aimed at medical devices and BYOD protocols. Cybercriminals can strike when a provider’s employees, through their cell phones or tablets, connect to an EHR system, informatics, or data exchange, unintentionally or intentionally infecting the organization’s enterprise infrastructure with malware.
Earlier this year, the FDA announced that it will begin to refuse medical device submissions over cybersecurity reasons beginning Oct. 1 This is a good step forward in protecting these devices and the patients they serve. At a bare minimum, hospitals and other provider organizations should not diminish their level of rigor of third-party entities. They should be evaluated and reviewed holistically while also ensuring industry standards are met for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured – this includes critically assessing and reviewing medical devices and BYOD protocols within their security frameworks as they present a significant set of data security challenges. Failure to do so can bring devastating consequences.
Kyle Neuman, Director of Trust Framework Development at DirectTrust
Medical devices, just like humans, need to identify themselves on the internet like everything else. That is the foundation of Zero Trust. Authoritatively knowing that a particular medical device sent a particular set of information about a patient is valuable, as well as authoritatively knowing which medical device is associated with a particular patient. However, protecting the confidentiality of information originating from and being sent to medical devices is paramount.
Each of these use cases can be applied to both people and medical devices and they all require some form of digital identity. In order to have a digital identity that is interoperable across organizational boundaries, you need to have trust. Patients’ reliance on medical devices for delivering, monitoring, and otherwise supporting a patient’s healthcare journey is a trend that will only continue to accelerate. As that occurs, medical devices will need to have access to more information across more organizations.
This is not a new or emerging problem. Rather it’s the same problem related to healthcare interoperability applied to a growing set of actors. Digital identity and trust will play one of the central roles in making it a success.
So much to think about here! Thank you to everyone who took the time to leave us a quote and thank you to everyone who took the time to read this article! We would love to hear your thoughts and insights on this topic as well. Leave a comment down below or share this article on social media and check out what people are saying over there!
