The healthcare field has incorporated a wide variety of IoT devices into its infrastructure in recent years. Both doctors and nurses use everything from glucometers to infusion pumps to laptops, but there may be assumptions about the cybersecurity of these devices that are unwarranted.
A recent survey found that 75 percent of IT managers are “confident” or “very confident” that the network security for their IoT devices was strong and not easily susceptible to cyber attacks. Many information security professionals would not be so confident.
The survey was part of a report produced by ZingBox, an IT security company specializing in IoT devices. Over 200 healthcare IT professionals were part of the survey and it found that even as the number of devices being used has proliferated, network security protocols are still rooted in the laptop/server world.
It was found that a typical hospital bed involves the use of 10 to 15 IoT devices in a day, with the definition being Internet-connected devices that are portable.
The fact is many IoT devices are not protected by traditional network security protocols, which tend to focus on protecting data on the server. But these types of established network security systems can allow access to individual IoT devices with relative ease. Cyber attacks can take control of an individual IoT device and turn them into a botnet, which will create a doorway through which malicious software can enter into the network.
In a recent study made public by the Ponemon Institute — which is an independent research foundation specializing in privacy, data protection, and information security — it was found that 67 percent of medical IoT device makers have an expectation that their products will be attacked in the following 12 months. But only 17 percent have serious policies in place to prevent such attacks.
One of the biggest issues is the difference between medical IoT devices and more traditional laptop/server protocols. Security patches and system updates can be quickly shared to laptops and other mobile devices, but that’s usually not possible with IoT medical devices, which cannot receive such network-wide software updates.
The regulation of medical IoT devices by the U.S. Food and Drug Administration (FDA) also creates barriers to making it easy for the devices to receive third-party software patches. Such procedures might invalidate FDA certification, a process that can take up to five years to achieve. No medical IoT device maker currently allows third-party security software to be uploaded to their products.