According to the IDC IoT Global Survey 2019, European healthcare organizations see both security concerns and opportunities in the implementation of IoT projects. Internet of Things solutions in the healthcare environment can be used easily to secure environments, patients and workers within a complex, often big healthcare setting. Some examples include GPS location tracking of inventory and medical equipment, health facility security, fall detection sensors, and gas, fire or flood sensors.
However, IoT also poses security challenges, mostly due to the high level of vulnerability of connected devices which makes them weak links of the security chain infrastructure, facilitating hackers’ access to a hospital data system and to highly sensitive information just by getting into a single device.
Europe on Fire
European countries have not been immune to cybersecurity attacks in the past 20 years. Maybe the biggest one (or best-known) — the WannaCry attack on the NHS in 2017 — literally raised an alert for the whole region and pushed C-suite decision making towards investments in cybersecurity. As a result of the raised awareness around the existing threats to cybersecurity and the enforcement of Europe-wide regulations around data privacy and security (i.e., NIS, GDPR), cybersecurity is ranked as the #1 investment priority across European healthcare providers, from West to East, with a louder emergency call ringing across France, Germany, and Eastern European countries (IDC Vertical Market Survey 2018–2019). However, despite the general attention to cybersecurity by institutions, national bodies, and healthcare system regulators, most of them fail to specifically address IoT security for the healthcare sector and to provide an in-depth analysis of the risks arising across the full spectrum of use cases enabled by the technology. This lack of guidance and regulations leaves the IoT healthcare market dangerously fragmented and exposed to risks.
Ariadne’s Thread
IDC has investigated European healthcare providers’ approach to IoT security, and the analysis follows the so-called Ariadne’s thread, as it leads back to what should be the very first step of security planning: a solid, enterprisewide strategy. Only 2% of healthcare providers in the region report they have an enterprise security and risk management strategy for IoT in place. Despite the fact that they are dealing with highly sensitive information, more than half of health organizations display a rather opportunistic and reactive approach to IoT security. The typical approach is to focus on implementing security programs mainly focused just on regulatory compliance and relying on internal staff resources to enforce them. However, European healthcare providers are aware of the breadth and complexity of vulnerabilities their organizations are subject to when implementing IoT, particularly around network, application and data security.
Connected Health at Risk
The terrorist attack on the president’s pacemaker shown in Homeland, the 2011 American thriller series, has become a cliché in the industry narrative, but it certainly roughly introduced the topic of networked medical device security and how quickly and seriously individuals and organizations can be impacted. In late 2015, two researchers discovered through Shodan, a search engine for IoT connected devices, that a number of healthcare devices accessible online still used Windows XP, the retired Microsoft OS that no longer receives security updates. The growing adoption of networked medical devices, from smart pumps to MRI to implantable sensors, represents a direct threat to organizational IT systems and patients that rely on the perfect functioning of connected medical devices.
So What?
Within the DefCon hacking conference, an immersive hospital setting complete with hospital rooms and a full complement of medical gadgets has been created to let ethical hackers perform hacking activities, paving the way to the development of new security standards around medical devices. A growing number of medical devices on the market can now send and receive sensitive patient data, and without appropriate security measures they can easily leave devices vulnerable to a hacker attack trying to harm patients or use their device as a portal to access medical data and other information. The “hack-before-it-gets-hacked” approach is consistent with the present security threats, but it can only be a piece of the puzzle. Healthcare organizations willing to invest in IoT should approach security by design, avoiding one-size-fits-all and establishing a solid framework of policies to manage security, risk, and access to their organizational assets in a consistent and coherent framework. To this end, the selection of the right partners and vendors is key, as they can be critical in supporting the establishment of data governance, risk management, and compliance policies that are applicable and aligned to organizational needs.