Getty Images/iStockphoto

Guest Post

How healthcare facilities can use IoT to bolster security

As hospitals and clinics implement physical security innovations with connected IoT devices, they must also establish protocols to enforce cybersecurity for such systems.

For healthcare institutions, it is more important than ever to ensure the safety of medical personnel, patients, records, equipment and facilities. Cyber attacks on healthcare and ransomware demands are making the news, but physical security remains crucial. This is where IoT devices are making strides to help protect hospitals, clinics and the people in them.

Medical facilities use connected IoT devices for several applications to achieve local, state and federal regulatory compliance, including HIPAA and Joint Commission on Accreditation of Healthcare Organizations, or JCAHO. To address physical safety issues and mitigate on-site risks, hospitals and clinics are adopting devices and systems for access control, integrated surveillance, visitor management, patient wandering and duress detection systems.

Healthcare workers need protection

Healthcare, like other industries, added security-focused devices at blistering speed but now face a major administrative and maintenance workload. A starting point is to have networked surveillance cameras, access control systems and hacker-resistant operational sensors, which require automation.

Most hackers that target healthcare facilities use ransomware attacks for financial gain, rather than sabotaging physical security. In one large-scale invasion of privacy, however, hackers gained access to cameras at hospitals in several states and were able to monitor patients in intensive care units.

IoT devices don't offer quick financial payoffs for hackers; they are overlooked when it comes to maintenance and cybersecurity. That's a mistake because, once compromised, physical security devices can be the entry point for major cyber attacks.

AI can help secure healthcare facilities

Machine learning and AI play a role for newer physical security systems. Healthcare facilities can now install systems that identify people who did not enter by an authorized point or failed to register properly. This face-matching technology works without using personal data. Stealing a badge after entry is ineffective for intruders against such systems.

Many facilities need internal access control for specific building areas -- mental health and pediatrics, for example. Other AI-supported applications include duress detection, firearms detection and patient wandering.

Security gaps in medical IoT devices

Hospitals have an additional concern: how to protect the connected devices that help to protect the facility and those in it. Undeniably, there are gaps. Many healthcare facilities have no staff dedicated to cybersecurity. Given that some hospitals have annual budgets larger than the entire metropolitan area in which they are located, this discrepancy must be addressed.

The cybersecurity staffing shortage could be a contributor to the two great unforced errors that consistently make devices vulnerable: failure to change passwords and the use of devices with hardcoded passwords.

Whether in hospitals, warehouses or malls, password rotation for surveillance cameras and access controls are often neglected or forgotten. That is the responsibility of the equipment owner/operator, but because it is extremely difficult to manually track, password rotation simply gets skipped in many facilities. This means a sizable portion of physical security devices share the same factory-set password for years, and it may never be updated.

As for hardcoded passwords, what should be an automatic disqualifier apparently wasn't. Even manufacturers use hardcoded passwords, for convenience or through carelessness, and they represent a massive gift to hackers. They are often impossible to change without patching software.

How to fortify physical security for healthcare

The battle to secure IoT-linked physical security has been raging for some time, and there are several steps for healthcare facilities to take now to strengthen their security posture:

  1. Establish 24/7, ongoing visibility of all connected devices on hospital and clinic networks. There may be hundreds or thousands of shadow devices in a large hospital.
  2. Automate security hygiene for video cameras and other security systems by implementing password rotation and facility-wide firmware updates immediately. This blocks the great majority of attacks, not just on IT infrastructure, but also for devices that sustain physical security.
  3. Segment networks of physical security devices to prevent attacks against them from spreading across device fleets or infecting the overall IT infrastructure.
  4. Some security experts are convinced that embedding hardware-level security in devices is long overdue. It's an early-days trend, with manufacturers just getting on the learning curve.
  5. Address the human component of cybersecurity. Hiring needed cybersecurity professionals is essential; it's also vital to educate healthcare staff and train them to recognize and respond immediately to attacks to minimize damage.

The IoT devices that are inherently vulnerable to malware and other attacks include security cameras and other sensors and controls used for physical security. Insurance companies, the Cybersecurity and Infrastructure Security Agency and the healthcare industry have a vested interest to collaborate and set standards to protect devices that sustain physical security at healthcare sites.

Healthcare facilities must implement and automate device security basics if they haven't done so already. Admins should also look at emerging security products, including AI-driven and hardware-based options.

As hospitals and clinics innovate to improve physical security with new connected devices and capabilities, they must keep a firm grip on the day-in, day-out essentials of cybersecurity for those very systems. They need in-house professionals armed with the right tools to automate device management and security at scale.

About the author
Roy Dagan is CEO and co-founder of SecuriThings -- provider of a solution that is redefining the way organizations manage and secure physical security devices at scale. He is an experienced security and IoT expert and industry thought-leader with over 15 years of experience in product management and business development at various successful high-tech companies. Dagan served in various positions in the Israel Defense Forces elite technological unit and holds a B.S. in computer science and management from Tel Aviv University in Israel.

Dig Deeper on Internet of things security