A recent Forrester Research report highlighted the security risks of connected healthcare devices and some of the implications of lax policies of manufacturers and care providers. This brings to mind for me all kinds of doomsday scenarios so I want to highlight some of the best practices in the report. These apply to the healthcare industry and other businesses.
Internet of Things
Part of the allure of the internet of things (IoT) is that many devices can be connected, including medical devices. In a recent article, author Yash Mehta highlighted some connected and potentially connected devices. On the list are monitoring devices which allow patients to be at home instead of a hospital. He also mentions companies that are developing edible IoT “smart” pills that will help monitor health issues and medication. This is an area where I would want the tightest security.
Steps for Security Planning
Start from the inside when thinking about security. Is everyone in your organization following best practices? Are you requiring passwords be changed regularly? Is everyone following this requirement or have they developed a workaround? Are there any shared accounts with a shared password? One of the biggest security holes has to do with social engineering. A hacker will pretend to be someone trustworthy to secure passwords or entrance into secure systems, then launch a widespread attack. Make sure everyone in your organization is educated and prepared for such an attempt.
Verify that the new devices have security built in from the manufacturer. This applies to health care IoT and other connected devices. It is hard to build security with no foundation. Push manufacturers to install a minimum level of threat protection in every device.
It is necessary to separate device information from actual customer details. In the case of health care, that means storing data collected from the connected device in a separate data structure than the patient data. In a retail establishment this means storing credit card information away from personally identifiable information such as customer name and address. The two can be linked via a separate ID but it should be difficult for a hacker to connect the two sources of information.
It is exciting to think of all of the possibilities with IoT devices but it is sobering to contemplate the security risks. All of us must consider and mitigate the risks, either as consumers or as part of an IT team building the tightest security possible. IoT devices are coming. Are you ready?
Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.