HDOs: Address IoT security governance today for a more secure tomorrow
April 26, 2019
By Jonathan Langer
Security breaches via IoT devices are a very real threat to healthcare delivery organizations (HDOs) today. Particularly at risk are HDOs that haven’t yet determined who within their organization is ultimately responsible (governance) when it comes to securing IoT devices, whether they are mobile devices, printers, thermometers, defibrillators or fetal heart monitors. Having a clear IoT security governance structure is vital for every HDO with any devices connected to their hospital’s network.
HDOs are naturally adopting innovative IoT devices to deliver first-in-class healthcare, but without the security protocols in place to protect their investment they will not be able to achieve this vision. As the attack surface widens with continued adoption, HDOs are running out of time to secure their networks accordingly. In April, a Michigan-based medical practice made headlines as one of the first in the country to close its doors as a direct result of ransomware.
Providers need a security program backed by a clear-cut governance structure to protect against malicious hackers if their goal is to take advantage of these innovations for the long-term. Otherwise, they risk becoming the next HDO to shut their doors because of an attack.
Security begins with governance
Information technology (IT), information security (IS) and biomedical engineers (biomed) are the three major stakeholders. Because they all touch IoT-enabled devices in one way or another, HDOs are finding it difficult to clearly define the roles they should play in IoT security.
Each team has their own priorities for medical device security, which makes collaborating difficult:
• Information Technology (IT) – IT is in charge of the network itself, and IoT devices are just one of the many assets that connect to the network. They need visibility into the kinds of assets they’re connecting to the network.
• Information Security (IS) – IS’ responsibilities cover network security, which includes protecting those assets connected to the network. They need to protect all connected IoT devices and usually use existing solutions to do so.
• Biomedical Engineers (Biomed) – Biomed is responsible for purchasing and maintaining medical devices. They need to ensure IoT-enabled medical devices perform as expected when connected to the network, which requires interfacing with IT, IS and device manufacturers.
Their priorities may look different, but they all map back to the same goal — protecting an HDO and its patients from cyberattacks. Unfortunately, they aren’t communicating enough to leverage their combined knowledge and resources to do so.
Ongoing, open communication between IT, IS and biomed teams is key to the success of their security program. For example, when a device manufacturer releases a patch for a newly discovered medical device vulnerability, who will get the alert? Who is responsible for ensuring the patch is put in place? If not patched, who is responsible for bringing the patch to whose attention? And what is the process? The patching process includes everything from working with the device manufacturer to deploy the patch, to coordinating internally to ensure it is properly installed and no damage was done as a result of the vulnerability. An HDO’s risk for a devastating attack automatically increases if a vulnerability is not patched in a timely manner, which is why they must have a plan in place for managing patches. This is part of their duty to provide quality healthcare while ensuring sensitive data is protected.
The question HDOs need to be able to answer without hesitation is: who is in charge of which aspect of IoT security? As they continue bringing new connected devices onto the network, medical or otherwise, knowing who is in charge falls within their responsibility to patients, families and federal regulators.
No two HDOs are alike
Each HDO should have its own, unique governance structure depending on which of the aforementioned teams are better equipped to follow through on their responsibility to secure IoT devices. HDOs should expect their structure to vary from hospital to hospital. They all have a unique mix of information systems, political structures and methodologies that define their organization. These variations are bound to result in different IoT security governance structures across providers.
IT, IS and biomed teams need to work together to determine what is necessary for each team to support their ongoing IoT security program responsibilities. While some hospitals may have a strong biomed team that can drive this initiative, another may have a stronger IT team that has more resources to support a secure hospital environment.
Each team must be open to the others’ needs, and they need to be clear about whether they have the departmental resources and bandwidth to support the program. From there, they can assign leaders accordingly and begin discussing the actual tools required.
No matter what: HDOs should remember that the team leading this charge needs to do so understanding that total medical device security requires protecting each and every IoT device connected to the network. This includes general IoT assets, clinical IoT assets and medical devices (e.g., smart cameras, smart beds and MR systems, respectively).
Biomed needs a seat at the table
Biomed must be included in security discussions. They are the team responsible for purchasing and maintaining the connected medical devices that prompted this need. Therefore, biomed has a crucial role to play regardless of their place in the IoT security governance structure.
It can be easy for HDOs to overlook their input, figuring that biomed can be looped in once the IT and IS teams have determined their strategy. But biomed has the responsibility of ensuring medical devices are performing as expected and have adequate protection from cybersecurity attacks.
With a background rooted in healthcare, biomed has the unique ability to advocate for why all devices connected to an HDO’s network require elevated security precautions. They can reinforce the need to center the program on processes and tools built specifically with healthcare in mind.
Security that puts healthcare first
The security conversation will continue to evolve as HDOs begin implementing IoT security initiatives. Regulatory bodies like DHS, FDA and HHS are tackling the issue of medical device security as we speak. As new challenges are brought to light, IT, IS and biomed teams need to work together in preparation so they are ready to address concerns and implement necessary process changes accordingly.
But before they can fine-tune their IoT security program, HDOs need to kickstart their efforts with a clear governance structure. Those that do this sooner rather than later will be better-positioned to protect themselves and their patients from the next wave of IoT security challenges.
About the author: Jonathan Langer is the co-founder and CEO of Medigate
Security breaches via IoT devices are a very real threat to healthcare delivery organizations (HDOs) today. Particularly at risk are HDOs that haven’t yet determined who within their organization is ultimately responsible (governance) when it comes to securing IoT devices, whether they are mobile devices, printers, thermometers, defibrillators or fetal heart monitors. Having a clear IoT security governance structure is vital for every HDO with any devices connected to their hospital’s network.
HDOs are naturally adopting innovative IoT devices to deliver first-in-class healthcare, but without the security protocols in place to protect their investment they will not be able to achieve this vision. As the attack surface widens with continued adoption, HDOs are running out of time to secure their networks accordingly. In April, a Michigan-based medical practice made headlines as one of the first in the country to close its doors as a direct result of ransomware.
Providers need a security program backed by a clear-cut governance structure to protect against malicious hackers if their goal is to take advantage of these innovations for the long-term. Otherwise, they risk becoming the next HDO to shut their doors because of an attack.
Security begins with governance
Information technology (IT), information security (IS) and biomedical engineers (biomed) are the three major stakeholders. Because they all touch IoT-enabled devices in one way or another, HDOs are finding it difficult to clearly define the roles they should play in IoT security.
Each team has their own priorities for medical device security, which makes collaborating difficult:
• Information Technology (IT) – IT is in charge of the network itself, and IoT devices are just one of the many assets that connect to the network. They need visibility into the kinds of assets they’re connecting to the network.
• Information Security (IS) – IS’ responsibilities cover network security, which includes protecting those assets connected to the network. They need to protect all connected IoT devices and usually use existing solutions to do so.
• Biomedical Engineers (Biomed) – Biomed is responsible for purchasing and maintaining medical devices. They need to ensure IoT-enabled medical devices perform as expected when connected to the network, which requires interfacing with IT, IS and device manufacturers.
Their priorities may look different, but they all map back to the same goal — protecting an HDO and its patients from cyberattacks. Unfortunately, they aren’t communicating enough to leverage their combined knowledge and resources to do so.
Ongoing, open communication between IT, IS and biomed teams is key to the success of their security program. For example, when a device manufacturer releases a patch for a newly discovered medical device vulnerability, who will get the alert? Who is responsible for ensuring the patch is put in place? If not patched, who is responsible for bringing the patch to whose attention? And what is the process? The patching process includes everything from working with the device manufacturer to deploy the patch, to coordinating internally to ensure it is properly installed and no damage was done as a result of the vulnerability. An HDO’s risk for a devastating attack automatically increases if a vulnerability is not patched in a timely manner, which is why they must have a plan in place for managing patches. This is part of their duty to provide quality healthcare while ensuring sensitive data is protected.
The question HDOs need to be able to answer without hesitation is: who is in charge of which aspect of IoT security? As they continue bringing new connected devices onto the network, medical or otherwise, knowing who is in charge falls within their responsibility to patients, families and federal regulators.
No two HDOs are alike
Each HDO should have its own, unique governance structure depending on which of the aforementioned teams are better equipped to follow through on their responsibility to secure IoT devices. HDOs should expect their structure to vary from hospital to hospital. They all have a unique mix of information systems, political structures and methodologies that define their organization. These variations are bound to result in different IoT security governance structures across providers.
IT, IS and biomed teams need to work together to determine what is necessary for each team to support their ongoing IoT security program responsibilities. While some hospitals may have a strong biomed team that can drive this initiative, another may have a stronger IT team that has more resources to support a secure hospital environment.
Each team must be open to the others’ needs, and they need to be clear about whether they have the departmental resources and bandwidth to support the program. From there, they can assign leaders accordingly and begin discussing the actual tools required.
No matter what: HDOs should remember that the team leading this charge needs to do so understanding that total medical device security requires protecting each and every IoT device connected to the network. This includes general IoT assets, clinical IoT assets and medical devices (e.g., smart cameras, smart beds and MR systems, respectively).
Biomed needs a seat at the table
Biomed must be included in security discussions. They are the team responsible for purchasing and maintaining the connected medical devices that prompted this need. Therefore, biomed has a crucial role to play regardless of their place in the IoT security governance structure.
It can be easy for HDOs to overlook their input, figuring that biomed can be looped in once the IT and IS teams have determined their strategy. But biomed has the responsibility of ensuring medical devices are performing as expected and have adequate protection from cybersecurity attacks.
With a background rooted in healthcare, biomed has the unique ability to advocate for why all devices connected to an HDO’s network require elevated security precautions. They can reinforce the need to center the program on processes and tools built specifically with healthcare in mind.
Security that puts healthcare first
The security conversation will continue to evolve as HDOs begin implementing IoT security initiatives. Regulatory bodies like DHS, FDA and HHS are tackling the issue of medical device security as we speak. As new challenges are brought to light, IT, IS and biomed teams need to work together in preparation so they are ready to address concerns and implement necessary process changes accordingly.
Jonathan Langer
About the author: Jonathan Langer is the co-founder and CEO of Medigate