5 Cybersecurity Measures for IoT Medical Devices


Sep 21, 2016

With the incidents of healthcare-industry cyberattacks and data breaches increasing, the issue of medical devices that are connected via the Internet of Things (IoT) will surely be coming more and more into the spotlight. The reason is clear: Those IoT medical devices are all interconnected on their own “Web,” and carry their own digital signatures, IP addresses, and, most distressingly, patient medical data that can be hacked, read, exploited and dumped by predatory cybercriminals. According to Forrester research analyst Chris Sherman and his May 2016 report on the growing crisis, Healthcare’s IoT Dilemma: Connected Medical Devices, “You have less control over connected medical devices than any other aspect of your technology environment. Many times, vendors control patch and update cycles, and vulnerabilities persist that require segmentation from your network. Considering that many of these devices are in direct contact with patients, this is a major cause for concern.”

IoT Medical Devices

Indeed, but here are 5 ways to protect medical devices on the Internet of Things from cyber breach or data exploit:

  1. Categorize potential cyberattack risk of existing devices. Once electronic medical devices are placed on wireless networks, they become part of an interlinked (and hackable) system. A website like Shodan, a.k.a. “The search engine for the Internet of Things,” catalogs devices on the IoT and exposes myriad searchable endpoints globally that lack proper security. Medical device security watchdogs should then use sites like Shodan to calculate the riskiness of having that heart monitor, CAT scanner or IV-drip on the IoT and step up their security accordingly.
  2. 2. Establish a clinical risk management framework. This one rightly follows on the heels of number one, as it is sequentially relevant and is based on language in the Sherman/Forrester report that calls for a risk-management “framework [that] focuses on how to manage and balance risks associated with safety, effectiveness and data/system security. It will help you determine the risk levels of your medical devices, mitigate and control that risk, and ultimately bring the risk exposure of your hospital network to acceptable levels.”
  3. Ensure your enterprise or organization follows strict security “hygiene”. The Forrester Research report states that the great majority of healthcare data breach cases in recent years were due to “social engineering and spear-phishing attacks”. This shows that there needs to be a deep awareness of corporate culture within vulnerable industries, and tighter controls on employee access and greater recognizance of the aforementioned cyber threats and attacks. Security control in healthcare needs to adopt “frequent, relevant, and engaging communication to ensure [their] workforce doesn’t miss security messages,” according to the report.
  4. Arrange security requirements in new device requests’ proposals and contract verbiage. It’s important to note that as potential customers, healthcare organizations DO have the power to get manufacturers of vulnerable devices to agree to special security requirements in proposals and contracts for IoT-connected device rollouts or upgrades.
  5. Implement a no-tolerance, zero-trust networking policy. This relies on the fact that you can’t control what’s coming at your data network from “out there,” but you sure can control how you respond from within your organization. Adopting ubiquitous security procedures rather than just perimeter measures; including risk-based, segmented devices, and enforcing zero-trust policies that vet-out any conceivably possible cybersecurity threat will help cement across-the-board security measures that protect healthcare data networks far better than mostly passive, perimeter controls.

The Forrester Report ends on this note: Although tech innovation in healthcare holds great promise to improve the “quality and speed with which patient care is delivered, the unfortunate reality is that security is all too often an afterthought in the design and development of these innovative new technologies. This is especially true for IP-enabled medical devices.”

Related Blogs

  • Duplicate flows across multiple flows by using a CI/CD pipeline that eliminates manual flow replication and associated errors." alt="">
    Manage Contact Flows With Amazon Connect APIs

    Programmatically configure and test Amazon Connect contact flows while reducing effort and errors Key Takeaways: New contact flow APIs are easily deployed from an AWS CloudFormation template Contact...

    Learn More
  • A woman working as a contact center agent and using a desktop computer with access to Amazon Connect and Amazon Connect Tasks" alt="">
    Automate, Track, and Manage Tasks for Amazon Connect Contact Center Agents

    Here’s everything you need to know about Amazon Connect Tasks and how it improves agent productivity while enhancing the customer experience Key Takeaways: Contact center agents often track and...

    Learn More
  • The insights offered by Amazon Connect Contact Lens provide unparalleled customer service training opportunities." alt="">
    Run Real-Time Contact Center Analytics on Amazon Connect

    Amazon Connect Contact Lens lets your call center apply machine learning and natural language processing for speech-to-text analysis and real-time insights Key Takeaways: Amazon Connect Contact Lens...

    Learn More