IoT security is one of the most concerning and critical issues that we in healthcare face on a daily basis. All industries are affected by IoT devices threatening the integrity of their network with consumer “smart” devices and industrial control systems (ICS) being common endpoints in all networks. For some reason that I have not yet been able to pin down, almost everyone has been ignoring the dangerous little devices they have on their networks and this negligence has caused countless breaches and is certain to be the cause of many more to come.
Healthcare’s Perfect Storm
Healthcare, on the other hand, is sitting in the middle of the perfect storm of danger because, in addition to the basic IoT and ICS systems, they also have biomedical equipment. The differences are minimal between these categories. Consumer-grade IoT devices are designed to work easily with little to no setup. However, this simplification directly negates the ability to secure these devices. One simply cannot have secure and simple in the same device; they are “warring” principles. Sadly, and despite the massive difference in cost, biomedical equipment is almost exclusively built on the same principle: make it as easy as possible to set up, therefore effectively making these devices no more secure than a connected toaster from a big box store.
Connected Medical Device Lifecycles
Another parallel exists between biomedical equipment and ICS systems. ICS systems are used to control critical infrastructure, such as power, HVAC, and security systems. Traditionally all infrastructure, or industrial-grade, equipment is designed to last for at least ten years. A typical endpoint’s lifespan, on the other hand, is four years, meaning that a laptop or server is going to be replaced almost three times before an ICS component would be. This same principle has also been applied to the biomed industry. Whether by design, necessity, or dumb chance, most connected medical devices have a lifecycle a lot closer to 10 years than four. Meaning we are regularly plugging in equipment that is decades out of date into our highly sensitive clinical networks.
Getting Started with IoT Security
While there are a plethora of remediations I can recommend, there are half of a dozen other resources on this site that talk in great detail about them. However, these resources do not talk about how to begin. The steps should be to:
- find all the devices connected to your network,
- inventory them,
- assess their security,
- segment them onto a secure and non-sensitive subnet, and
- create strong policies to keep unknown and unapproved devices from being connected to the intranet.
Working with healthcare organizations every day, I realize that any one of those steps can be a major ask. Simply identifying all the “rogue” systems or segmenting the network properly requires more resources and money than most IT/IS departments have.
The Slow-Roll Approach
Since you are probably not going to convince the board or CEO to spend on the necessary resources to fully remediate IoT and biomed issue today, instead consider a slower, more realistic approach. I have seen this used in some form to great effect in various environments from the U.S. Army to hospitals.
Endpoint Device Policy
First, create a strong policy that forbids unauthorized and unknown devices to be connected to the network (if you do not already have one). This will not be a hard sell; it is one of the most obvious and necessary policies that every organization should have. At the very least, even if it is not evenly enforced, it gives the organization the authority to remove any malicious or compromised devices without pushback.
Communication and Enforcement
After this policy is in place make sure it is clearly and plainly communicated to all users that any unauthorized device found connected to the network will be removed, scanned for sensitive information, and either wiped and returned or put through the official endpoint approval process. Clear communication is critical to this process. Enforcement is also critical. Anything connected to the network, even a new smart TV, should be put through a security check, inventoried, and put on a special subnet.
D-Day (Device Day)
After a set period of time (60 days is common) and plenty of warning, it is D-Day (“D”, as in device). At this point, the IT techs and anyone else knowledgeable enough to help, should go through the building room-by-room and locate any unauthorized connected devices. Then comes the fun part. They give a “receipt” to the manager, or owner, of the device before taking it. It then goes into a locked closet disconnected from anything until the device can be analyzed. This analysis should include a full scan of the storage on the device to find any potentially sensitive information, then a reset to factory settings. At this point, the device can be analyzed by security staff to see if it can be secured, if it will collect sensitive data, etc. After it has been analyzed it can then be returned and placed on the subnet it has been deemed secure enough for.
Consider Who Uses These Devices
The employees will never forget having their Alexa device or coffee pot taken, scanned, and removed from the network. This will send a clear message, and employees (who are the ones who plug these things into the network, to begin with) will understand the importance of this policy. This action alone should make a major dent in the problem and allow you to focus on more pressing issues.