Does IoT Increase Security Risks in Healthcare?

Healthcare is full of acronyms and jargon. IT is the same. Mix them together and you have a mess that is not unlike what you get with a 2-year-old in the same room as wooden alphabet blocks. On top of this alphabet soup are the technology myths that persist – like what really causes EHR slowness. It can be difficult for Healthcare IT newcomers and veterans alike to get a handle on.

That’s why we’ve teamed up with NETSCOUT – the technology leader helping assure digital business services against disruptions in availability, performance and security – to dispel the myths and unpack the jargon. Our goal is simple: we want to answer the Healthcare IT questions people have in their minds, but are afraid to ask.

In this first article, we are tackling the Internet of Things (IoT) with Ken Czekaj, Problem Solver [love the title!] at NETSCOUT.

How would you define IoT (simply)?

In my mind, if a device “communicates over a network”, it can roughly be considered a “thing” in this example. While we used to think in terms of desktops, servers, and WAN’s for basic communications, the concept of “networkable things” has really expanded to many possibilities: wearable technology, Vocera badges, nurse call systems, MRIs, robots, industrial PLC’s , HVAC, Security Cameras, etc. The list is endless.

In 2019, PwC conducted a survey and found almost half (46%) of healthcare executives said their organizations were already actively using IoT. 54% of those executives pointed to improved operations as the main benefit they were seeking. What was truly interesting about that survey was that 90% of healthcare executives believed IoT benefits outweighed its risk, with the primary risk being data integrity and cybersecurity.

What are 1 or 2 practical use cases for IoT in healthcare?

I think some of the most interesting IoT technology uses are things that can work in tandem with a smartphone. Just the concept of a heart monitor (or any vitals tracker) that can gather useful data and then send those metrics to a smartphone app is tremendous.

Just about everyone has a smartphone, so technology that can leverage such a ubiquitous device opens the door of possibility for improved early warning, diagnosis, data samples, etc. and innovation that can improve patient outcomes. Of course when I say smartphone, I don’t necessarily mean the one you and I use everyday…there are plenty of smartphone-like devices that are purpose-built for the harsh hospital environment, like the ones from Zebra.

Another practical use case for IoT is asset tracking using Real-Time Location Services (RTLS). Here, assets like beds, wheelchairs, gurneys, etc are connected to the hospital’s network, allowing staff to pinpoint exactly where a needed piece of equipment is. This technology is evolving quickly and now assets are sending much more than location information – they are sending information about their performance, whether or not they need to be cleaned, or in the case of beds, whether or not the patient has moved in the past hour.

For years, adding more devices onto a network meant increasing the points of vulnerability. More computers, more routers, etc. translates into more security headaches. As we get ready for an IoT explosion in healthcare, is this still a valid concern for healthcare organizations? Does IoT mean more security vulnerabilities?

There are two ways to look at this challenge. One, the increase of devices will increase the overall scope of your attack plane. More devices mean more versions of operating systems (OS), specific vulnerabilities per each individual OS, more points of entry to defend, more firewall rules and load, more locations to cover potentially, etc. A specific concern for IoT type devices is the potential for a device to be compromised, establish a command-and-control connection, and be used as an attack point remotely.

However, an organization with a defined and effective security policy, can provide levels of protection against these vulnerabilities. It takes a business impact analysis, formal risk assessment, security plan, with policies and procedures in production. From this perspective, an organization that already has this type of security posture in place, will just add in “IoT vulnerabilities” to their existing perspective and landscape.

Security isn’t the only concern for IoT, there is also the issue of performance. Is it true more IoT = more load = more slowness?

IoT certainly can have a negative impact on load, performance and slowness, but it does depend on the implementation and networks, servers and applications installed as well. We do see IoT devices increase load and performance on DHCP / DNS / LDAP protocols and services, as these are used for IP address management, name resolution, and authentication services.

When the performance issues start at these basic pillars of networking, it can then impact the downstream applications as well EMR’s, PACS, ERP, specific patient care apps that leverage a Web Server, DB server, and App Server. The challenge then becomes isolating the issue to a context and “probable cause” quickly so that patient care is not impacted. That goal is always the priority for healthcare organizations that rely on technology in their patient care.

What can an organization do to mitigate the security and slowness risks?

My recommendation is to put “probability on your side” and prepare for these types of issues to arise, and they will arise. If your teams do not have a quick and easy method and platform by which to “see” the applications, network traffic, errors and performance, hosts involved, etc. … then the risk of a patient care impacting situation is greatly increased. The first step in mitigating the risk, is providing your teams the ability to “see” into the situation at hand with real data and information. Seeing, more commonly called “Visibility” allows them to effectively “triage” the situation, assess the data, allocate resources, and take appropriate next steps for remediation. The mantra is all toward the goal of restoring service and not impacting patient care or outcomes.

What are 3 practical things a CIO of a hospital should do today to be ready for IoT?

I have always liked the concept of “hope for the best, and plan for the worst”. A bit of a pessimistic approach perhaps but allows me to start with the worst case and address the deployment in a prioritized approach. These are the types of questions I would consider addressing as it relates to IoT.

  1. What will the load impact be to my existing infrastructure? Things like network, bandwidth, load balancers, firewalls, wireless, servers, virtualization platform etc.
  2. How will I be able to address security and performance issues quickly and effectively so that patient care is not impacted?
  3. Are there new or existing areas of infrastructure, security, risk, data collection, policy, patient impact, etc. … that IoT will introduce or impact patient care?

How can NETSCOUT help?

NETSCOUT’s ASI technology is uniquely positioned to add value across many teams within a healthcare organization. The ASI is Smart Data and can be leveraged to provide necessary triage capabilities to application, network, security, clinical, telemedicine, unified communications, service desk, web, database, VDI/Citrix, and development teams just to mention a few. We also have incorporated technology from Arbor Networks that will block and mitigate Denial of Service & Ransomware attacks. For IoT specific use cases, the ability to block command and control capabilities from compromised devices is a tremendous value add to Healthcare executives.

Be sure to watch our full discussion on-demand as we unpack more Health IT myths and give straight answers to questions you’ve always wanted to ask. View for free.

About the author

Colin Hung

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

   

Categories