The Internet of Things (IoT) has revolutionized the way that healthcare providers track patient health, improve health outcomes, and increase efficiency. Connected medical devices range from ultrasound machines, thermometers, and glucose monitors to hospital beds that can provide additional insights into symptoms and trends. The switch to IoT devices in clinical care settings and patients’ homes shows no sign of slowing down, with the Internet of Medical Things (IoMT) market expected to increase to $158 billion in 2022, up from $41 billion in 2017.
Steps Towards Security
Securing connected devices isn’t as simple as one might think. On one hand, extra security protocols in a healthcare setting might slow down access to critical information. But on the other, a cybersecurity incident like a ransomware attack can cause a huge diversion of resources, breach of personal health information (PHI), and negative patient outcomes.
To get clinicians on board with cybersecurity protocols, it’s important to frame these protocols as safety measures. With such high stakes, any effort to protect medical devices must engage an organization at every level, including cyberattack simulations, organization-wide training, and cooperation from manufacturers and IT departments.
To get a firsthand account of what it’s like to protect medical devices in a clinical care setting, we spoke to Mike Taylor, ECS’ chief information officer aboard the USNS Mercy hospital ship based in San Diego. Mike leads a team that assists with IT engineering, IoT security, and medical logistics on the ship. This year, Mike’s responsibilities took on newfound importance when the USNS Mercy was activated to provide civilian care for COVID-19 patients at the start of the pandemic.
How does ECS manage and protect IoT devices on board the Mercy?
IoT is one of the things that we have pioneered in both the healthcare- and shipboard-related environments. We use a product called Forescout CounterACT as our network access control. In its current iteration, Forescout provides network discovery and controls all of the IoT and supervisory control and data acquisition (SCADA) devices that we have connected to the ship’s network. This allows our team to see everything, from a machine running Windows 10 to a wireless cardiac monitor, all the way down to vibration sensors in the engine room. We have visibility on anything that touches the network, regardless of form or function, allowing us to take action if needed.
What kind of impact would a compromised IoT device have on operations?
Because we are a hospital ship, we have unique circumstances. What one may consider a robust security presence, we have about triple that. If a device came to be infected with a virus like ransomware or other malware, that security event would trigger about six different levels of cybersecurity alarms.
First, the McAfee anti-virus software would clamp down on that machine so that the device can be disconnected from the network using Forescout while Cisco FirePOWER and Palo Alto screen traffic and content. An automatic vulnerability scan would then take place on all connected machines. Next, a solution from Varonis would identify which networks and shared resources that machine was touching—whether it had open shares, open email, or even Microsoft OneDrive—to determine what kind of contact the infected device had with our systems. This goes on until we can ensure that the threat has been contained.
In a way, the impact of a compromised device causes a pandemic-like response. Our team of IT operations personnel uses these solutions to conduct contact-tracing on the device, giving us a holistic view of the infection’s impact on our IT systems and allowing us to quarantine that device on the network. These proactive safeguards are the front-line defenses for patient data and safety, as well as mission-essential ship data. This layered defense protect against future attacks, making it less likely for a compromised device to have a negative impact on the network.
What steps should healthcare organizations take to protect IoT?
The first thing an organization can do to protect its IoT devices is to check in with industry standards and protocols for cybersecurity to see how they should move forward. Looking to healthcare organizations that are similar to yours in is a good way to benchmark your own organization and see where you can go next.
For those organizations in the military, we benchmark against other military treatment facilities (MTFs). To stay ahead of trends and emerging threats, we engage with Sharp Healthcare and University of California San Diego (UCSD) Medical Systems to share best practices and information on our collective cyber postures. Open dialogue ensures that your organization is doing everything it can to keep your care facility and data safe. The healthcare industry cannot afford to sit back on IoT security. Making sure that your devices are covered before a security incident occurs is key.
If your organization is juggling incident alerts, staffing shortages, and program management, ECS is here to help. Through our fully managed cybersecurity program, we have the people, processes, and expertise to protect your organization and your patients.