IoT and Healthcare – My thoughts from HIMSS

I recently attended the HIMMS conference in Las Vegas. Tough gig, I know. It rotates between Las Vegas and Orlando. I spoke with many in the healthcare industry about concerns about Cyber Security and IoT. In particular, the fact that IT is growing in the healthcare field and more and more devices are connected but many of them go unprotected.

So why are they going unprotected you might ask? Well, several reasons. No standard for the underlying system and often these systems are embedded and not even manageable at all. Also, even with a standard, it is difficult for healthcare staff to patch or install anything on these devices because they are used for surgery and life care that require them to have little to no downtime whatsoever. You can’t push a patch to a system that is managing the operating table. The risk of malware is high but not as high as the risk of death or a lawsuit from a system rebooting during a major procedure.

I am reminded of when IBM tried to corner the PC market by making a proprietary bus controller. It was meant as a way to keep the new players like Compaq from succeeding. Keeping the competition at bay by making it harder for anyone to build systems with standard parts, they had a plan to be the only one left standing. You can thank the early pioneers of computing getting together and forming the EISA and VESA bus architecture standards as their way to come together for the benefit of all, including consumer choice, and putting a stop to the proprietary monopoly type practice.

So why do I go into all that PC history in this post? Simple, a similar problem is happening in the IoT space but not necessarily because of an attempt to block a competitor. It is more centered around building systems that don’t use a standard because they are custom built. IoT will go through a growing pain here over the next few years.

How do I protect systems that I can’t protect with software agents and other traditional methods? You can still utilize the idea of the layered approach. Just because you are missing one of the layers, the system, doesn’t mean you ignore the entire security posture. Make sure you are dealing with any systems that you can protect through traditional means and schedule patches and security scans appropriately. For those you can not, you have to look at border and gateway options. Make sure that the systems are behind a firewall and even better if it has some “next-gen” capabilities. Look into a good network-based IPS like TippingPoint, that can protect your systems from attacks and exploit attempts.

IoT is here and will only keep growing in all verticals, not just healthcare, and we need to make sure that we are taking the steps to protect these systems. We don’t want them to cause downtime or be used as jumping off points into more sensitive areas of our networks and data centers. Hopefully, the industries involved will start looking at a standard for the base architecture that can better allow for easier methods of protection.