7 Ways to Safeguard IoT in Healthcare

By Nikhil Donde, Managing Director, Protiviti India

Globally, medical devices and Protected Health Information forming the IoT in healtchare, are an easy victim to potential malicious attacks. Through this article we discuss the safeguards required to alleviate them. 

Imagine this. There’s a robotic app or device that periodically monitors your vitals from the body sensors and based on an intricate logic, it automatically adjusts your dosage through medical devices implanted inside your body. Too far-fetched from reality? Perhaps yes. However, in a much simpler form, these things are already happening in the world of healthcare. Medical devices like scanners and life support systems are connected to your body and are monitored through remote consoles. Besides, with significant evolution in nano-technology, probes, and other medical devices have become progressively smaller in size. Sounds exciting, doesn’t it? Now consider the possibility of this network of devices getting hacked, manipulated or blocked entirely. One can only imagine the deadly repercussions of such malicious attacks.

With increasing automation and use of advanced devices in healthcare, this likelihood is becoming increasingly possible. It presents a fatal weakness in the IT environment of healthcare. While the above scenario may be an extreme case, there are several interim situations that highlight compromises and breaches in healthcare data.

The rising focus on improved patient care cost reduction, and process optimization in the healthcare industry calls for higher automation, electronic health records (EHRs) and patient management systems. An interconnected network of hospitals, insurance providers, medical specialists, and pharmacies provide multiple avenues of access to critical patient information for efficient care which can be potentially exploited due to a relatively lower security posture prevalent in the industry.

The need of the hour

However, with increased automation and use of extensive IT infrastructure, there is a dire need of IT security and enterprise architecture in the healthcare domain. It is important to understand the importance of Protected Health Information (PHI) as it contains names, addresses, certain demographical information, past and present health issues and may also be coupled with financial information like payment details due to the nature of business. When exposed, this damage cannot be revoked like financial data where a new card is issued or passcodes are changed or any compensation provided by the banks. Historically, healthcare organizations’ lower focus on cyber-security and on protecting IT infrastructure makes them easy targets. Attackers can use this information for identity theft and extortion. Usually, addressing a healthcare data breach is not only costly in financial terms but more so in reputation as doctor-patient confidentiality is compromised.

Recently, Anthem Health Insurance Provider in the US had its network server hacked. It resulted in the data breach of personally identifiable information of close to 79 million individuals. Premera Blue Cross, another health insurance provider, announced its cyber-attack just one month after the Anthem incident, affecting the data of more than 11 million members. Closer home, in 2015, India saw 32 million records compromised over 20 breaches. This shows that traditional IT security mechanism is failing to control the influx of increased cyber-attacks and data breaches.

With a focus on non-stop service and continuous business operations, securing the IT environment and more importantly, patient data is becoming a challenging task. Strict regulations put pressure on healthcare service providers in addition to maintaining a secure IT infrastructure.  With limited IT budgets, implementing secure IT policies and procedures and establishing security governance becomes challenging and makes healthcare industry susceptible to data breach and cyber security attacks. This all leads to a potent question – what can be done to provide a more secure and aware environment to protect against data breaches and safeguard patient information?

The Answer

A host of regulations already exists on information storage and usage by healthcare service providers and individuals. The Health Information Technology for Economic and Clinical Health (HITECH) Act in the US has provided more teeth to global regulations such as Health Insurance Portability and Accountability Act of 1996 (HIPAA) through increased fines and expanded applicability with mandates on compulsory disclosure. Countries like India have no clear defined regulations like that in the US or Europe. Despite organizations trying their best to adhere to certain regulations, breaches do occur.

While there is no silver-bullet to these issues, there is a host of steps healthcare service providers can take to protect their data and information assets:

1. Conduct a security and risk assessment
   
   Periodic review of existing security mechanism and infrastructure is crucial to establishing a secure environment for patient’s data. While such requirement is mandatory under HIPAA, it is always beneficial to be proactive in risk assessment as tools, technologies, and systems change over time within the healthcare domain. Inspection of every email or web transaction for PHI, monitoring effectiveness of controls over PHI, getting periodic reports on incidents and conducting incident assessments are all critical aspects of PHI risk management. Healthcare organizations and their business associates should adopt the Health Information Trust (HITRUST) Common Security Framework (CSF) Assurance Program as a practical approach to adhering to consistent industry standards to risk management.
2. Create awareness
   
   According to a recent survey by a healthcare solution company, 90 percent of healthcare organizations put employee negligence on top of concerns over cyber-attacks and mobile device security. Employees’ susceptibility to phishing emails, negligence in managing USB devices, improper use of social media and data transmission over unsecured networks can be avoided if proper awareness is created among the employees. Organizations should periodically run campaigns to create awareness on data security, define a social media usage policy and set guidelines on what kind of information can be shared over network internally or externally.
3. Strong device encryption and infrastructure
   
   With increased usage of mobile devices and open BYOD policies, healthcare organizations should implement strong endpoint and device encryptions. This also includes basic guidelines on managing the security of devices. From screen locks, non-storage of business information and device backups to device encryption, malware protection, and remote tracking, measures need to be put in place to protect PHI and company information.
4. Secure data in use
   
   Most of the data leakage issues are due to non-compliance with central company policies or flawed business practices. For a robust data management policy, firms need to secure and encrypt data at rest and in motion. Intruder detection, database logs and auditing and continuous monitoring are some of the steps organizations can take.
5. Robust physical security
   
   While digitalization of healthcare is underway, a large number of organizations still relying on paperwork for patient records. Securing paper trails of patient information is essential and periodic review of document storage centers and repositories or scanning of hardcopies into electronic format is required.
6. Security in partner management
   
   In the age of interconnected service providers, securing organization network from attacks from partner network is essential. Healthcare organization should review Third Party networks for data leakage, review SLAs, and agreements for security loopholes and work with them to minimize breach risks. Internal and external penetration testing are some of the ways organizations can evaluate the robustness of their networks and touch points.
7. Invest in securing your IT infrastructure
   
   As EHRs become the norm, healthcare organizations will have to invest in robust and secure IT infrastructure to support the caregivers. As more records go online, additional storage, network speeds, and IT security will be required. While this may sound like a considerable investment, the benefits far outweigh the costs. Caregivers will have easy access to patient information providing immediate care, less paperwork will be involved, increased efficiency and productivity, enhanced privacy and security of patient data, securely sharing information with patients and other caregivers.

While no amount of preparation can guarantee security from breaches and cyber-attacks, certain measures can definitely reduce the likelihood or extent of the damage. As automation and technology enhancements move into the healthcare domain, protecting critical Patient Health Information is becoming paramount and should be considered a key requirement for any healthcare organization.