“Scary” number of healthcare IT execs put faith in inadequate IoT security

“Scary” number of healthcare IT execs put faith in inadequate IoT security

More than 70 percent of healthcare IT decision makers (ITDMs) believe that traditional security products can secure IoT-onnected medical devices.

That’s according to a survey of 200 healthcare ITDMs by IT security company Zingbox, fielded earlier this month.

The survey found that more than 90 percent of healthcare IT networks have IoT devices – such as infusion pumps or glucometers – connected to them.

Unwarranted confidence?

The large majority of the IT decision makers surveyed believe that the same products used to secure laptops and servers are sufficient to secure IoT-connected medical devices. They also believe that the same technologies can detect irregularities in network traffic.

In addition, 76 percent of healthcare ITDMs said they were confident or very confident that all devices connected to their network are protected.

Xu Zou, CEO and co-founder of ZingBox, said that the survey results demonstrated the current state of confusion and misconceptions abound in the healthcare industry on how best to secure connected medical devices. He believes that these organizations need a deeper understanding of what he calls unique individual personalities of IoT devices.

“IoT technology presents special challenges to a healthcare organization’s ability to protect itself from both insider threats as well as external cyber-attacks across a wide range of attack vectors, as demonstrated by the most recent WannaCry ransomware and NotPetya wiperware attacks. As these attacks continue to step to the forefront, companies deploying IoT devices need to be more cognizant than ever of their security measures,” he said.

Read more: Is IoT the right prescription for getting patients to take their medicine?

Scary conclusions

Chris Longbottom, analyst at IT advisory company Quocirca, said that the results were “scary”.

“As has been seen time and time again, security across healthcare is barely managing to deal with existing security attacks. To assume that, as the attack surface grows rapidly with thousands to millions of new devices coming online, existing approaches to security will be sufficient, is to all intents and purposes, insane,” he said.

The views of Zou and Longbottom, that existing security solutions are not good enough to protect IoT devices are echoed by Ian Hughes, analyst of IoT at enterprise and technology advisory organization 451 Research.

“Laptop and mobile security products are only relevant to IoT security if those devices are acting as the sole gateway to the IoT endpoint,” he said.

“If the IoT devices are attached to a wider network, as is likely, they need their own security treatments. An insecure or vulnerable device attached to a network can be used to bypass other security procedures,” he added.

Hughes warned that unknown devices, masquerading as known types of device, can provide spurious data or intercept valuable information.

“Every IoT device should be considered as a complete computing device attached to the network and secured, patched and serviced accordingly. Healthcare in particular looks to prevent disease not simply treat it, cyber security is a preventative measure for the health of the organization,” he said.

Lawyers have also warned healthcare IoT device manufacturers to sit up and take notice of the incoming EU General Data Protection Regulations.

Read more: Security researchers uncover vulnerabilities in cardiac pacemakers