5 Security Risks – And Solutions – For Every Partner Deploying IoT In Health Care

Managing The Medical Device Security Risk

As more medical wireless devices – like pacemakers and pharmaceutical compounders – are deployed, the risk of security issues quickly increases.

Virtu Labs CEO Kevin Fu discussed the security risks – and potential solutions – for hospitals utilizing these wireless devices Thursday at the Security of Things conference, held in Cambridge, Mass.

"The sky isn’t falling [around IoT security], but there are surreal risks we need to solve," said Fu. "The hard part is figuring it out so that [security risks] don’t come back again."

Following are five things that solution providers with health-care customers should know about IoT risks and opportunities.

The Biggest Issue For IoT Medical Device Security

When hospitals are exposed to security attacks, like ransomware, data becomes unavailable, said Fu. These attacks could lead to hospitals shutting down, which is detrimental in an environment where it is critical for healthcare providers to maintain operations 24x7.

The biggest risk, he stressed, in addition to the integrity of medical sensors, is wide-scale unavailability of patient care due to a security attack. "We don’t want to interrupt clinical workflow," said Fu.

The Current Security State Of Medical IoT

Fu said that an IoT security strategy is "starting to develop" as the medical and IT worlds converge. However, there are still underlying wrinkles that need to be smoothed out, as the medical community is different than the traditional IT customer, he said.

"The medical demographic does not fit what [demographic] the security tools are designed for," he said. "We need compensating controls that minimize the risks."

The 'Low-Hanging Fruit' Risks

Fu outlined several security risks in existing IoT medical devices that he described as "low-hanging fruit" for hackers.

Medical devices face the risk of factory-installed malware, even after vendors have installed a firewall. For example, the vendors could accidentally bring in malware while repairing or updating machines, or devices could be infected by malware while still in the product assembly line.

For instance, said Fu, a Windows XP-powered pharmaceutical compounder with a virus could spread that virus to other compounders during repair.

'Mitigating Controls Critical For Hospitals

Security should be designed into devices from the get-go, but many security problems are actually baked in at the whiteboard stage, said Fu. So, how can hospitals deal with inevitable security breaches?

Fu said that IT professionals and medical IT engineers need to instead ask what mitigating security controls they can design so that the system is still operational even after it's been hacked.

Solution providers, for their part, can play a big role in working with hospitals to design and implement these security controls to ensure continued operation even after an attack.

Who 'Owns' The Security Risks?

The health-care space differs from the traditional IT enterprise space because it may not necessarily be the CIO having conversations with the vendor or partner – it might be someone more closely aligned with line of business, like the chief strategy officer.

Who owns the security risks in hospitals? "We’re not sure yet – for some hospitals, the IT [department] will," said Fu. "In some cases, the individuals with the best training and ability to reduce risks have least amount of authority to do that."