Gamal Emara, Country Manager, UAE at Aruba, a Hewlett Packard Enterprise company, looks at how healthcare organisations can achieve a safer IoT infrastructure.
IoT devices may offer extraordinary benefits in healthcare. From improving patient outcomes, staff effectiveness and operational cost savings, it could also bring with them new security risks. Any type of connected device is a potential risk, even wireless lightbulbs, so it’s imperative that healthcare institutions do everything they can to stem the flow of malicious attackers. This calls for a multi-layered security approach to mitigate these threats.
Step one: Know your network, inside and out
To secure the network that your IoT infrastructure connects into, it’s important to know exactly what’s running on it. As more employees and users become more network savvy, it’s hard to keep track of what is being connected to the network because it’s no longer just IT professionals who are making the connections.
To combat this threat, a modern network access control solution is a great starting place, with a roles-based management and network segmentation solution. These solutions will enable network and security managers to set policies around ‘things’ and devices, meaning that not just anyone can connect to the network. On top of this, it’s also possible to set permissions on what data and applications they can access, as well as setting rules to who can manage and maintain these networks and devices.
These solutions automatically monitor connections to the network, and can isolate without the need for IT staff to action the quarantine. Assigned IT staff will then be notified to take action against the suspected malicious incident.
Step two: Users, devices and things have roles, know them
To ensure the efficient running of the network, it’s important to consider the myriad of devices that carry the ability to transmit data, locate them on the network, and consider how they could be used to create an integrated and innovative experience.
In healthcare, patient monitoring within a surgery ward could keep track of vital signs, such as heart rate, without physically attending the bedside. This ability could be critical in detecting a potential issue quicker, and taking action (for example alerting a nearby nurse) without the need for caregivers to be everywhere at once.
Clearly, this use case is integral to safe and efficient running of healthcare institutions, and it also fits into part of the IoT puzzle within healthcare, helping those running the institutions to better make use of the equipment they already have.
Step three: Use AI-enable intelligence to monitor change
By bringing devices together in a single management platform on the network, security staff are better able to take a holistic view of all equipment and begin to build smarter security policies. The unfortunate truth is that, no matter how much planning and patience is put into securing a network, threats will find their way in.
Thankfully, for organisations that want to combat this to their utmost ability, AI-based Machine Learning is becoming more sophisticated in helping to identify early and mid-threat scenarios. Sophisticated cyberattacks manifest themselves slowly over several months through leveraging analytics, this technology can spot changes in behaviour that often indicate that the profile of a user’s device is not conforming to usual patterns. In fact, a recent report showed that two thirds of breaches were perpetrated by insider actors, and not internal forces.
The combination of integrating a powerful Access Control solution, along with AI, allows suspicious devices or actors to be temporarily quarantined to support security teams to focus their precious time on analysing only the most pertinent anomalies. The savings associated with this model is allowing IT teams to rebalance their workload to a more proactive security posture.
Step four: Shape the network around better security
With the global rise of cyberattacks, there can no longer be a disconnect between network and security teams. Primary security elements must now be embedded into the network to allow more sophisticated security policies to leverage the network to gate or grant access to bandwidth.
The challenge with this, is that historically some of these features were not embedded as standard, but charged as optional extras. Therefore devices and applications where able to bypass flaws in the network design, creating exposure to risk. Today, there are far more robust security features that are deeply embedded into the wireless and wired network allowing security teams to build around this in a world where the attack surface has grown exponentially due to mobility and IoT. This requires an inside out view of the security strategy.
Step five: Don’t just use default settings
It’s surprising to find the frequency of breaches that occur as a result of not changing default credentials and passwords. The fact is, most IoT-related breaches to date were as a result of organisations failing to update these details and have suffered as a result.
Vendors are now getting wise to this and have started offering more unique options than the standard ‘admin’ and ‘password’ defaults, which, surprisingly, is well documented on the Internet. However, this does not require unique credentials for every connected device.
Instead, role-based credentials that adhere to security recommendations for character length and combinations can be supplied to all of the same devices. In healthcare, this could mean that all door locks, or heart monitors that have their set roles, can have unique credentials.
For employees, having the correct login credentials based on their roles can access certain applications depending on the context of their location, device type and organisational governance. This allows security teams to use these parameters to set policies so that when they change a number of actions can be performed; ranging from multi-factor authentication to a security software update or perhaps quarantine for further inspection.
Step six: People are usually the weakest link in security
Regardless of the technology in place, or the permission set into practice, individuals using and accessing devices remain critically important to educate, inform and monitor. Traditionally, unsafe practices are usually a result of a poor understanding and therefore, it’s key to regularly review and recertify all staff members to understand the protocols in place to keep the organisation safe.
By creating a set of processes and practices with password hygiene and prompts, employees can do their bit in ensuring the network remains safe. Password prompts that are unique to the individual is key to building a strong protective perimeter with everyone owning, and protecting their own credentials, and ultimately the network.
Step 7: Reassess and revise
No matter how much effort is put into securing the network, the work is never really complete. Instead, organisations should always look to evolve and improve their practices as new technology and recommendations become available.
This shouldn’t mean that everyone has to become experts in security. Rather, it would mean that organisations look at their vendors and partners for what is new and improving the industry. By taking all these steps security isn’t guaranteed but the healthcare organisation that takes its security hygiene seriously will mitigate for the majority of weak links whether that be people, process or technology.