‘We need to co-operate on security – the time is now!’
What are some of the biggest threats to connected medical devices (‘medical IoT’) today?
Though not directly targeting the medical device, malware can do a lot of collateral damage and so is one of the biggest threats. We saw this last summer with WannaCry. The attack rocked healthcare organisations, which for the first time realised that everything from smart parking-gate machines to connected medical devices often run susceptible Windows software behind the scenes.
So WannaCry was a big wake-up call for the healthcare industry?
Yes. What caught hospital organisations off guard was that ransomware could have direct impact and risk to connected medical devices. And yet these are among the most complicated and challenging devices to patch and protect — requiring reviews and thorough due diligence to make them safe before putting them out for use.
Also, up till then, medical device security hadn’t really been an area that a hospital’s ICT department had to deal with — it was often channeled to the clinical or biomedical engineering department. So there was a gap between the owners of the devices and those that were responsible for the overall ICT security aspects of it which no one was taking care of.
So how have things changed since then?
I would say that there’s been a lot of community education and heightened awareness around these issues. I’m also seeing a lot more cooperation between the biomedical engineering and ICT departments. There’s more of an awareness that firewalls in a hospital are not enough to protect an organisation — they must have remediation procedures in place to reduce risk when using connected medical devices in hospital settings.
So what advice do you give to healthcare organisations you work with about how to best keep medical IoT secure in the face of these kinds of attacks?
We encourage them, first, to create better relationships and liaisons between the departments that support medical devices and the ICT department, to understand what connected medical devices are being leveraged, to cross-train, and share information about security and awareness. Because the world has evolved, the risks have evolved… so how we designed and protected hospital networks ten years ago - five years ago, even - is not sufficient as a strategy moving forward. The time is now!
We also educate them on the need for visibility inside the hospital IT network, both wired and wireless, to understand what connected devices/medical IoT they have and to put strategies in place for monitoring their behavior, so that they can see when something starts to behave erratically compared to its baseline norm.
What is Extreme Networks doing in this area that you would like HealthTech Wire readers to know about?
We can provide an organisation with the ability to see the network analytics coming from every single connected device within their hospitals, so that when a security event happens, their ICT department can immediately identify how many devices are connected inside the hospital, where they are, and whether they’re at risk. And then they have the ability to very quickly push out controls across the entire infrastructure, to containerise those devices in order to protect them.
Robert Zemke will be speaking at HIMSS Europe 18 (27-29 May, Sitges, Barcelona), of which Extreme Networks is a premium sponsor.