As the healthcare industry increasingly adopts the Internet of Things (IoT) to improve patient health outcomes, it also opens up data to new cybersecurity risks. In September 2018, the National Institute of Technology Standards (NIST) published a draft NISTIR 8228 “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” The implication for healthcare providers integrating IoT into their care plans is that they need to protect device security, data security, and patient privacy.

What are Examples of IoT in Healthcare?

Healthcare providers use IoT to provide better patient care. However, to do so, they need to be thoughtful about the way in which they incorporate IoT strategies and secure electronic protected health information (e-PHI).

Cancer Treatment

Bluetooth enabled weight scales and blood pressure cuffs with symptom tracking applications attached send updates to doctors daily. As a result, research shows that patients experience less severe symptoms.

Insulin Pens

Diabetics often use the Continuous Glucose Monitor (GCM) to continuously monitor their glucose levels. These devices then connect to smartphone and smartwatch applications providing better monitoring to detect trends.

Insulin Delivery

The Open Artificial Pancreas System (OpenAPS) monitors glucose levels and automatically adjusts insulin delivery to keep blood glucose levels within a safe range.

Asthma Inhalers

Smart inhaler technology uses sensors to work with inhalers so that asthmatics can more consistently and regularly take medication.

Parkinson’s Disease

Apple’s ResearchKit included a “Movement Disorder API” which helps monitor Parkinson’s Disease symptoms which eases the daily diary process and aids research.

What Are the Cybersecurity Risks of IoT in Healthcare?

NIST detailed three differences between medical IoT and traditional IoT.

The Way Medical IoT Devices Interact with the Physical World

NIST outlined that IoT healthcare devices change physical systems and impact them differently. Therefore, their operations’ requirements for performance, reliability, resilience, and safety may not align with traditional cybersecurity and privacy practices for traditional IoT devices.

The Way Medical IoT Devices Are Accessed, Managed, or Monitored

Since these devices may require manual tasks, staff may not have the necessary knowledge and tools for addressing the new risks. Additionally, manufacturers and third parties having remote access or control can lead to new risks.

The Cybersecurity and Privacy Protections Necessary for Maintaining Availability, Efficiency, and Effectiveness

Because of the different ways in which medical IoT connect to the physical world and the information they store, transmit, and process, additional controls may need to be implemented to mitigate risks. However, these controls are not necessarily available.

What are the High-Level Cybersecurity Risk Mitigation Goals?

Although similar to the Health Insurance Portability and Accountability Act (HIPAA) risks, the risks of medical IoT come with new struggles.

Protect Device Security

Distributed Denial of Service (DDoS) attacks and eavesdropping attacks can compromise the devices’ availability, accessibility, and confidentiality leading to a lack of data integrity or impacting human lives.

Protect Data Security

Protecting the confidentiality, integrity, and availability of personally identifiable information (PII) that the devices store, transmit, collect, or process can lead to data breaches.

Protect Individuals’ Privacy

Compromised PII can directly impact individuals.

What are Risk Mitigation Strategies for Protecting Device Security?

To protect device security, NIST suggests four risk mitigation strategies.

Asset Management

Healthcare providers need to maintain current, accurate inventories of all IoT devices throughout the devices’ lifecycles.

Vulnerability Management

To protect the devices, healthcare providers need to review software and firmware for known vulnerabilities.

Access Management

To prevent unauthorized or improper physical and logical access to, use of, or administration of IoT devices, healthcare providers need to ensure appropriate access management strategies.

Device Security Incident Detection

Healthcare providers need to continuously monitor IoT devices for potential security incidents.

What are the Risk Mitigation Strategies for Protecting Data Security?

NIST lists two strategies to prevent data security incidents.

Data Protection

Data-at-rest or in-transit needs to be protected from exposing or compromising the integrity of sensitive information.

Data Security Incident Detection

Healthcare providers need to continuously monitor IoT device activity for potential data breaches.

What are the Risk Mitigation Strategies for Protecting Individuals’ Privacy?

NIST lists five strategies for protecting patient privacy.

Information Flow Management

Healthcare providers need to create mappings that show PII lifecycles, incorporating data action type, PII elements processed, party processing PII, and any other contextual factors that compromise privacy.

PII Process Permission Management

Permissions governing PII processing need to prevent unpermitted processing.

Informed Decision Making

Patient users need to understand the potential data breach incidents that could occur from using the devices, including how to resolve problems.

Disassociated Data Management

With more users and locations that store information, healthcare providers may lack the ability to manage authentications.

Privacy Breach Detection

Healthcare professionals need to continuously monitor device activitiy for signs of data breaches.

How the Cybersecurity Risks in Healthcare IoT Impact Practitioners

Managing these new cybersecurity risks may prove overwhelming for many practitioners. Best practices as set out by NIST can mean engaging in new technologies to maintain security control effectiveness. Looking to the future, practitioners may need to think about:

• Maintaining multiple asset management systems
• Performing asset management tasks manually
• Implications of risks arising from external software and services
• Current risk management program effectiveness
• Remote access to devices to manage them
• Ability to maintain vulnerability management programs
• Inability to manage or remove known vulnerabilities
• Need for multiple vulnerability management systems
• Need to manually install security updates
• Inability to use automation for continuous monitoring
• Inability to authenticate users and manage identitie
  

While the use of IoT in healthcare can lead to better patient care outcomes, it also creates risks that a practitioner may not be able to mitigate. In short, the cost-benefit analysis may require providers to choose between patient physical health or patient data health.

How Zeguro Helps Protect the Healthcare Industry

We understand that our healthcare providers’ primary interest is keeping patients healthy. To do that, they want to provide the best Do No Harm care possible. Unfortunately, using IoT may lead to unintended harm. This is why we created an end-to-end security first solution enabling small and mid-sized practices to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA). We help you identify risks, create policies that govern your security controls, monitor their effectiveness, and direct you toward an end-to-end cyber insurance policy that fits your needs. Get a free insurance quote today!