Healthcare CIOs should ‘take action now’ against IoT security risks: Gartner
- 02 February, 2017 13:23
Healthcare provider CIOs are being warned to rethink IoT cybersecurity risks this year in light of the vulnerabilities that will accompany the technology, according to new research from Gartner.
“By 2020, more than 25 per cent of identified attacks in healthcare delivery organisations will involve the IoT,” according to the report, which is part of a series of ‘Top Actions’ notes written by analyst Gregg Pessin for healthcare provider CIOs.
“IoT offers a brave new world of value to healthcare provider organisations through its ability to collect and send detailed data from almost every aspect of daily operation in a healthcare facility,” according to the report.
“This data includes specifics from how the facility is performing physically (heating/cooling/lighting) to patient condition — both within the hospital and at home — with many more use cases to be discovered.
"This data creates vital contextual visibility and input to analysis engines that enable the situationally aware views of provider processes and, in turn, enable the data's true value — the operational intelligence capabilities of the real-time health system (RTHS),” Gartner said.
IoT in the healthcare arena is not one technology - instead it’s the integration of several types of systems that sense and collect data from the environment, analyse the data, and take action upon that data to accomplish clinical and business goals.
While IoT offers the benefit of significantly increased situational awareness surrounding the patient and hospital operations, it also comes with “new and unfamiliar cybersecurity risks.”
"IoT solutions can change the state of a digital environment, in addition to generating data, but “this variability of state requires a new view of cybersecurity,” the report said.
IoT environments consist of mostly unattended endpoints, which create easily avoidable vulnerabilities for HDO IT infrastructures.
“The HDO represents the enterprise — the set of applications, processes and services that can be called by the IoT platform to accomplish the hospital's objectives. Many IoT platforms also include APIs that enterprise applications can use to extract data from the platform for their own purposes,” the report said.
Machine to machine (M2M) authentication works for newer IoT devices but does not include legacy devices, creating trust gaps between devices and gateways, the report noted.
With IoT pushing the boundary of IT outside of the traditional HDO IT environment, there’s a need to architect and strategise current security solutions. New security concerns introduced by the exchange of data from "things" include: data integrity; data authenticity; and data confidentiality.
“Because these new attack vectors are data-centric, they represent a significant digital threat to the HDO. The standard implementations of protected health information (PHI) defence, access control, authentication and infrastructure resilience are all pushed to their limits with the introduction of the IoT to the HDO environment,” the report said.
"The threat surface grows exponentially with the IoT as each added population of "things" extends and potentially thins the garrison walls, increasing the burden on the CIO's organisation. For most HDOs, IoT populations will number the greatest outside the traditional boundary of the hospital system, mostly centred on patients and their homes,” the report said.
Most attacks are centred on identity theft, with large populations of diverse IoT devices without proper security measures in place providing a rich, lucrative exploit for the attackers.
“Cyberattacks can take advantage of the inherent properties of IoT devices, such as communication broadcast capabilities, dependence on battery power, lack of security certificates, and in some cases, their mobility. Examples of attack types that can use these device properties against the devices are: man-in-the-middle attacks, route diversion attacks, and denial-of-service attacks,” the report said.
So what can be done? The report recommended healthcare CIOs migrate IoT security risks by using a blended approach that includes security methods taken from mobile, cloud, industrial control, automation and physical security.
It suggested CIOs redefine the device security strategy to address new types of vulnerabilities introduced by IoT infrastructures by including embedded trust, device identities/credentials and real-time visibility and control. It also suggested CIOs enable the scale necessary for a successful IoT security strategy by creating a security plan that includes cloud-based solutions.
“CIOs can prepare their departments for the introduction of the IoT by firrst gaining an understanding of IoT architecture and execution models. Then, they should combine this new IoT awareness with knowledge about how IoT structures interact with the existing traditional IT architectures within the HDO.
“From this informed position, CIOs can guide their organisations to build the foundations necessary to ensure the security of delivered IT services when faced with IoT risks,” the report advised.
“The time to take action to thwart the risk of IoT in the HDO is now. In the next several years, HDOs will experience exponential growth of smart devices across the depth and breadth of the enterprise. 2017 needs to be the year to start efforts to put policies and practices in place,” the report said.