Every year, organizations find themselves spending more and more on cybersecurity. Protecting their data and keeping pace with increasingly sophisticated methods of cybercrime is an important investment. By the end of this year, estimates are that the Internet of Things (IoT) security spending will reach $1.9 billion, for an industry that now encompasses some 20 billion connected devices. Yet even with this increased spending and compelling cases for better security standards, it remains its weakest link. Hospitals are being transformed by a huge variety of interconnected devices, overlapping applications and a vast flow of data across the network. Various users and staff can access this data, with the ultimate goal of improving patient care, diagnoses and treatments. A critical question remains, however: How do you encrypt all this data so that it is protected, and what is the impact of doing it wrong?
‘Smart’ devices connect to the internet and process and store sensitive data. This unprecedented level of connectivity and communication between devices offers the potential for better data and analytics for companies to understand their customers’ needs and motivations. It also exposes an exponentially greater attack surface for anyone looking to steal data or compromise systems for their own purposes. It’s clear there is still much progress to be made in making security a top priority for the growing network of our “connected life”.
Frequent cases of unencrypted firmware updates, video streaming and stored user credentials are noted by security experts. Nowhere is this threat more clearly demonstrated than in health care. The use of connected medical devices and applications across healthcare organizations and providers is increasing almost exponentially. They serve as an important access point for communicating, sharing, collecting and analyzing medical data. They also represent a highly vulnerable security risk for these same reasons.
Adoption of IoT technologies has been relatively swift throughout the industry: from an infusion pump or a patient monitor used by a doctor or nurse, to a fitness tracker a patient might wear. Indeed, recent estimates place around 10-15 connected devices per bed in a typical US hospital—all processing valuable patient data. Multiply that by the general standard of about 5,000 beds in the hospital, and the urgent need becomes self-evident.
Wi-Fi access points create another attack vector for insecure devices. When a medical device connects to the internet at a hospital, for instance, it is also making a connection to the facility’s network and any sensitive information therein. What’s more, if that device has become a host to some strain of malware, the risk to patients multiplies. This can lead to particularly nasty ransomware, such as when WannaCry affected a significant number of hospitals. This incident caused havoc for weeks for some hospitals’ IT systems. In the end, only six percent of the hospitals indicated were able to patch their systems.
Unfortunately, more organizations are paying the ransoms these days, because they’ve been caught unprepared and don’t want to lose everything, even if it means rewarding the cyber criminals. Despite this, proper attention is not always given to device security. According to a recent bulletin from the Cybersecurity and Infrastructure Security Agency, this applies to a number of medical devices from Medtronic Inc., the largest company in the space. The system uses an unencrypted, non-authenticated wireless protocol that could allow hackers to take over a device or change its settings. While the FDA states that the devices’ benefits still outweigh the risks, this reveals the lack of urgency with which device protection is still approached. On top of the insecure devices, there are insider threats, both internal and accidental, and vulnerable legacy systems. Stolen patient data will continue to fetch a high price on the black market.
These are issues that have plagued the industry and will continue to do so in 2019. Protecting, managing and defending your data while maintaining compliance for healthcare organizations, in particular in the era of IoT, will continue to be an increasingly difficult task. Data breaches in healthcare have increased operating costs and caused long-term damage to many institutions across the world. Protecting patients personal health information (PHI) and electronic health records (EHR) is a business imperative to maintaining business stability as well as long-term reputation.
At NetLib Security, our solutions help our customers come into compliance with HIPAA, GDPR and many other privacy regulations around the globe by encrypting PHI and EHR. We secure existing devices already in-the-field, with no alterations or reprogramming required. Understanding the unique needs of small to mid-sized enterprises (SMEs) with constrained IT departments, who need to protect data on their Windows servers and connected devices, is our specialty. Companies utilize our solutions to satisfy a pressing need quickly and with confidence.