Most healthcare IT organizations have done a great job of tackling the security challenges posed by Wi-Fi access for patients and mobile BYOD connections for clinicians. Hospitals and clinics now face their greatest security challenge to date – the explosion of highly beneficial but potentially problematic IoT healthcare devices.
There’s no denying the benefits of IoT in healthcare. From monitoring patients and medical assets to tracking anything that has to be measured, network-connected devices bolster both patient safety and clinical efficiency. Devices as simple as sanitation gel dispensers can alert administrators when they need to be refilled so that nobody has to remember to check, and gel is always available.
But this raises two crucial questions. First, how much thought did the gel dispenser manufacturer – and the manufacturers of every other network-connected device – put into security? And secondly, how can IT ensure that none of those dozens and dozens of network access points enable unauthorized network access?
Simply put, the proliferation of IoT devices in healthcare comes with a proliferation of potential endpoint security gaps. Those gaps can all be closed with the following four steps to IoT security.
Step 1: Take a complete IoT inventory
For IT professionals to secure all endpoints, they must be aware of all connected devices. Start with a survey of every department to develop an inventory listing of networked devices. Survey outreach is a good time to get everyone thinking about the importance of device security. How many clinicians are aware that a sanitation gel dispenser could provide a pathway to sensitive patient information in a records system?
Step 2: Create a mapping of devices and networks
Understanding which networks are connected to which devices is central to assessing the risks posed by IoT technologies. Ideally, you should put IoT devices on a separate network preventing access to sensitive data on the enterprise-wide network. In addition to informing risk assessment, creating a complete map can help optimize connections, aiding in prioritizing and allocating bandwidth accordingly.
Step 3: Publish an IoT security policy
A thorough IoT security policy will designate which devices are allowed on networks and the proper procedure for involving IT. It will likely become clear from earlier steps that just because a manufacturer makes a device networkable, it doesn’t necessarily mean it should be allowed on a network. All IoT devices should be configured to meet your security requirements before being connected to the network. A “plug and play” setting, which makes setup a breeze, creates a potentially dangerous situation. Be sure to address all departments that have IoT devices or might have them in the future.
Step 4: Remediate security gaps and enforce policy
Finally, it’s important to identify any gaps in the new security policy. What are your plans for ongoing inventory and management? Can you quickly separate existing, known devices from new, unknown devices connected to the network? Remediate any gaps uncovered, and remember to monitor the situation on an ongoing basis. It’s surprising how easily new devices can find their way to a network connection – even the most carefully crafted and presented security policy will require enforcement when it comes to IoT.
If you need help
Most major network service providers offer professional services that can assist with the auditing and remediation functions described above. Whether you engage such services or choose to do it yourself, it’s important to take a thorough approach to IoT security, buttoning it up as tightly as all other aspects of healthcare IT.