Brigadier General (Ret) Gregory TouhillJune 19, 2019
Are Your Medical Devices a Security Risk?
The healthcare industry faces particular challenges with medical IoT devices that elevate patient care but expose numerous security risks, affecting confidentiality and patient safety.
By now, most in the cybersecurity field are aware that a “safe” network perimeter no longer exists in the enterprise. The healthcare industry presents unique challenges that take this concept a step further, with network endpoints moving around medical facilities and even within physical human bodies – providing a true reflection of today’s perimeter-less reality.
3.7 million medical devices are in use, connected to, and monitoring various parts of patients’ bodies to inform healthcare decisions. These network endpoints represent many different IoT devices, ranging from smart continuous glucose monitoring (CGM) and insulin pens, to ingestible sensors as well as the standard ultrasound, MRI, CT, and dialysis machines. These medical and IoT devices are all used by clinicians, doctors, nurses, and the entire ecosystem of healthcare providers to transport HIPAA protected patient information across healthcare networks.
While this network connectivity is improving patient care, at the same time, according to Gartner, “by 2021, the number of connected medical devices requiring security hardening will increase by 45%.”* Most of those in the medical field agree that the benefits of these network-connected devices outweigh the security risks. Although true, the frequent occurrence of ever-present healthcare breaches must also be considered.
According to the HIPAA Journal, 2018 saw 18 data breaches that each exposed 100,000 or more healthcare records. Eight of those breaches saw more than half a million healthcare records exposed, and three of those breaches involved more than one million healthcare records.
Network access is the main vulnerability that turn medical IoT devices into entry points for cybercriminals who then leverage the access to move laterally across the network to gain access to further data. Gartner says:
“It is important to understand that no matter what kind of hardening is applied to medical devices during design and manufacturing, every connected medical device faces an element of digital security risk…Remember that every additional connected medical device changes the data flow within the health system, thereby increasing privacy risk. This has a direct impact on the confidentiality, integrity and availability of data, and ultimately patient safety.”*
Securing Medical IoT Devices
Healthcare organizations must secure these often over-entitled, unregulated, and under-managed IoT devices. Whether dealing with “Legacy IoT” devices such as ultrasound, MRI, or dialysis machines; or emerging tech like ingestible sensors or a network security solution that is identity-centric like CGMs, protecting the individual must take priority.
Appgate SDP is a Software-Defined Perimeter solution that secures access to your network using the Zero Trust framework. It provides a common secure IoT access policy that supplies architecture and detailed logging to administer and audit complex connectivity interrelationships across healthcare infrastructure, limiting ‘cross-contamination’.
Healthcare systems have complex device security needs that require restricted but manageable accessibility. Appgate SDP’s IoT Connector provides healthcare organizations with a single view of users, servers, and now device access — all easily regulated with policies and controls that limit the attack surface per unique device.
Each Appgate IoT Connector instance is designed to scale for both volume and throughput, and is able to handle a wide array of today’s medical IoT devices. By isolating and limiting access, Appgate is able to prevent lateral attacks while allowing devices to seamlessly perform their functions. It operates in-line and can be easily deployed without replacing existing hardware or software. Standard with Appgate is the ability to integrate threat intelligence, reporting, or visualization to provide proactive actions and real-time responses to mitigate attacks.
To learn more about how to protect your healthcare organization’s IoT devices, take a look at the IoT Connector use case.
*Gartner, Focus Now on Digital Security Opportunities Within Connected Medical Devices, Anurag Gupta and Saniye Alaybeyi, 7 January 2019