Guest Column | March 14, 2016

Keeping Patient Information Secure When Implementing IoT

Security

By Dominic McClung, Graduate Assistant, Center for Information and Communication Sciences, Ball State University

Executive Summary

Healthcare is quickly becoming one of the leaders of Internet of Things (IoT) technology due to the wide assortment of connected medical devices. According to research conducted by MarketResearch.com, the healthcare segment of the IoT will be a $117 billion industry by 2020.1 While IoT may seem like a great benefit to the world of healthcare it does not come without its own problems.

One of the biggest IoT problems is security and, as a result, the FBI issued a statement concerning the vulnerability of healthcare IoT devices.2 Without a focus on security, the implementation of each additional IoT device increases the risk of a malicious attack which could cost healthcare organizations millions of dollars in fines and lost revenue.

There are several steps organizations need to take to improve the security of both their devices and network to prevent malicious attacks. Many of these steps are simple to implement and will greatly impact security. Healthcare organizations and equipment manufacturers would benefit to take the extra time to ensure they take every precaution available to ensure their devices are secure and prevent malicious intrusions.

IoT And Healthcare

IoT brings connectivity and new features to devices that were not previously connected allowing for a new paradigm within the technology sector as it allows devices to generate data and be controlled like never before. IoT is destined to be a major force in the world of healthcare as there is a wide assortment of devices utilized throughout the industry that can be outfitted with smart technology from bandages to pace makers.

IoT will be a major driver for change and growth throughout the industry as it will change the way practitioners care for their patients. IoT is also expected to be a major expense for organizations as research firm MarketResearch.com predicts that the healthcare segment of IoT will be valued at over $117 billion by 2020.1

The Importance of Security

Security of information is an important business aspect for companies operating in every industry. Information security is especially important to organizations operating within healthcare due to the sensitivity and value of patient data. Healthcare organizations have a large amount of information about their customers including payment information, social security numbers, home address, and potentially much more. This means that healthcare organizations have more information on their customers than virtually any other industry.

Due to the sensitivity of this data, there are a large number of regulations involved. One of the biggest regulations is the HIPAA Breach Notification Rule stating that any patient information breach that includes the information of over 500 customers must be reported to media outlets and the state secretary within 60 days. This can greatly tarnish the organization’s reputation in addition to the ensuing financial repercussions.

One of the most well known healthcare data breaches came in January of 2015 with the breach of Anthem Blue Cross Blue Shield. This breach was enormous in nature as it featured the information of up to 80 million current and former members of Anthem health plans. There was a large amount of information obtained by the hackers including victims’ names, dates of birth, Social Security numbers, healthcare ID numbers, home addresses, employment information, and income data.3

Data breaches can also affect smaller institutions such as hospitals as well. University of Washington Medicine recently settled with The U.S. Department of Health and Human Services for a data breach that occurred in 2013 of over 90,000 patients. The settlement cost University of Washington Medicine $750,000 in addition to harming its reputation.4

While there have not been any documented cases of an attack on a medical device within a human, several lab tests have proved that IoT devices can be attacked while operating within a human. Researchers at the University of South Alabama were recently able to hack both a pacemaker and insulin pump on a state-of-the-art patient simulator. The students were able to successfully kill the iStan patient simulator by adjusting the pacemaker and insulin pump proving that, in the right, situation it would be possible for a hacker to kill someone by exploiting security loopholes in healthcare devices.5

Guidelines For Keeping Patient Information Secure

  • Best Practices

The recommendation of ensuring the utilization of good network security practices is something that should go without saying but is frequently overlooked. When designing a network, ensure the implementation of security best practices throughout the network. This includes the basics such as: use strong passwords, keep equipment up to date, do not leave unutilized network drops active, and separate traffic onto different vLANs.

  • Security Patches

Always make sure devices are kept up to date with the latest security patches. Typically, when manufacturers become aware of a security loophole in one of their products, they release a patch that can be easily downloaded and installed to fix the issue. However, the problem in this scenario is that many times security patches are either forgotten or ignored resulting in easy exploits. Typically, hackers learn how to exploit the loophole from the information published along with the patch. This makes it especially easy for hackers to compromise a device they find that is yet to be patched. In addition to staying up to date with security patches it is critical to not utilize systems that no longer receive security patches such as Windows XP.

  • Changing Default Passwords

One of the easiest ways to improve security is to change the default password. Almost all devices, especially when working with IoT devices, come with predefined accounts and passwords so the consumer can easily set up the equipment. However, changing the default password or deleting the premade account is frequently forgotten resulting in an easy to exploit loophole. This is problematic as potential hackers can look up the product documentation online and easily determine the default administrator credentials intended for initial setup. This allows the hacker to access anything they want with the device from stored information to adjusting the equipment to not behave in an intended way.

  • Disable UPnP On Routers

Another major concern for security comes from Universal Plug and Play (UPnP). This feature was originally built into network equipment to make it easier for devices on the same network to discover each other to share information. While this sounds like a very nice feature to have, it can be very problematic as it opens devices up to attacks originating over the internet that take advantage of this standard. Since this is not a feature that will be frequently utilized in a major corporate environment such as a hospital, it is best to ensure that UPnP is disabled on all devices to prevent a potential security loophole.

  • Isolate IoT Devices On Their Own Networks

Another good practice when implementing IoT devices is to separate all of these devices onto their own network. This creates an added layer of security in the event that an IoT device becomes compromised. A large amount of IoT devices do not contain or transmit important information but function as an easy access point for attack as many IoT devices do not have the same level of security that can be found on traditional networked devices. Segmenting these devices to a separate network means that, even if an attacker was able to infiltrate a device, they would not be able to see what information is being transferred among devices on other networks. This helps to ensure that information stays secure even in the event of an IoT device being compromised.

  • Staff Education

One of the most important aspects of network security is to ensure that Staff is adequately trained to recognize potential threats. Typically, humans are the weakest link in the system so ensuring they are well educated is a crucial step toward maintaining network security. A staff education plan is essential to preventing potential social engineering problems such as phishing attacks. Clinical staff should also be informed on how to check for potential security updates on the devices they frequently utilize and to contact the appropriate staff for applying updates.

Conclusion

When analyzing network security and implementing IoT devices many of the steps to improve security are not ground breaking, or even hard to implement. Many of the best practices are nothing more than crucial steps to not be overlooked to ensure that every potential exploit is covered. While there are some more complex methods that can be implemented to ensure that the network stays secure these recommendations are typically easy and proven to be effective.

Works Cited

1McCue, T. (2015, April 22). $117 Billion Market For Internet of Things In Healthcare By 2020. Retrieved December 19, 2015, from http://www.forbes.com/sites/tjmccue/2015/04/22/117-billion-market-for-internet-of-things-in-healthcare-by-2020/

2Pennic, F. (2015, September 16). FBI issues IoT Security Warning for Medical Devices, Wearables. Retrieved November 19, 2015, from http://hitconsultant.net/2015/09/17/fbi-issues-iot-security-warning-medical-devices-wearables/

3Hiltzik, M. (2015, March 6). Anthem is warning consumers about its huge data breach. Here's a translation. Retrieved December 19, 2015, from http://www.latimes.com/business/hiltzik/la-fi-mh-anthem-is-warning-consumers-20150306-column.html

4Schencker, L. (2015, December 14). University of Washington Medicine reaches $750,000 HIPAA settlement. Retrieved December 21, 2015, from http://www.modernhealthcare.com/article/20151214/NEWS/151219937/university-of-washington-medicine-reaches-750000-hipaa-settlement

5Storm, D. (2015, September 8). Researchers hack a pacemaker, kill a man(nequin). Retrieved December 20, 2015, from http://www.computerworld.com/article/2981527/cybercrime-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html