Securing healthcare networks and devices is not just critical to operational continuity but to regulatory compliance as well. Compliance can be a veritable alphabet soup of mandates:
- HIPAA mandates that healthcare organizations have physical, network, and process security measures in place to protect PHI.
- The ARRA mandates “meaningful” use of EHR/EMR.
- The HITECH Act mandates audits to determine HIPAA compliance.
Regulatory requirements call for tighter security (HIPAA/HITECH), while at the same time introducing greater vulnerability (ARRA) into healthcare networks. Let’s talk about how IT is (or is not) dealing with these mandates as they apply network endpoints.
Security professionals must contend with the constant ebb and flow of perhaps thousands of hospital-issued and BYOD devices: laptops, smartphones, tablets and more. They rely on a broad range of traditional methods to reduce the threat of endpoint breaches, but controlling device access, keeping anti-virus software up-to-date and maintaining bulletproof firewalls is still a time consuming and resource-intensive exercise. The consequences of just one malicious attack can be costly in terms of fines, customer compensation and reputation.
Now with IoMT added to the picture, compliance can be even more challenging. The surge of bio-medical devices is presenting the greatest exposure to security breaches. There can be seven or eight times more medical devices than all other types. It’s common that IT isn’t even aware of all the endpoints on the network. IoMT endpoints typically do not pass through IT but instead come in directly through different medical departments. Many healthcare organizations are simply not prepared to tackle this growing challenge.
“Certain medical devices – such as pacemakers, insulin pumps, MRI and CT scanners and bedside patient monitoring systems – are deeply integrated into clinical workflows, delivering data to clinical systems like EHRs. The worry comes from the possibility of malware being introduced to the network via a compromised medical device. There is a concern that these medical devices, which typically are not all that well secured, become a back door for hackers to get into these devices and start infiltrating the network.” Lynne Dunbrack, research VP at IDC Health Insights.
Healthcare organizations are trying to wrap their arms around IoMT security. Karl West, the CISO at Intermountain Healthcare in Salt Lake City, believes that medical devices are the new threat landscape. “The influx of medical devices into health organizations, often without the knowledge of IT, may be adding to existing security problems.” He describes some steps that healthcare providers can take to better ensure the cybersecurity of IoMT devices, including:
- Take inventory of all the medical devices that exist in their network environment.
- Assess the risk of each device by classifying the data that is on those devices.
- Identify existing (if any) security controls, such as password or encryption abilities on the device.
Even as these risks are assessed and controls identified – what’s next? Great Bay Software provides solutions that directly address the security risks of IoMT devices using real-time device discovery and control. Learn about Great Bay’s Beacon Suite software as it relates directly to healthcare and IoMT devices here.
Read our recent post on the Health of Healthcare Security Budgets.
Report | Minimizing Network Security Risks Created By Medical Devices
Why the Healthcare Industry is the Top Target for Data Breaches
Report | SANS Healthcare Provider Breaches