IoT Medical Devices Cyber Security – Diagnosis and Dispensing

IoT Medical Devices Cyber Security – Diagnosis and Dispensing

Now that we are fully engrossed in the cyber age, there are rapid advances across the board for all things connected to the Internet and IoT medical devices cyber security is no exception.  These devices, often called “The Internet of Things,” or IoT, has certainly made much of life much easier. For the medical profession, it has certainly become a simple, safe and easy way to monitor patients away from a clinical setting.

This is all fine and good, but there is a fundamental question of IoT that needs answering: Are these safe and secure when away from a closed environment?This article is going to address the issues home devices face and possible ways to prevent cyber attacks and/or hacking.

Dispensing for IoT Medical Devices Cyber Security

The number one concern of healthcare professionals looking at and addressing potential problems is the HIPAA. This protection act of 1996 means patients under the care of physicians have a reasonable expectation of privacy and are protected under a patient/medical professional relationship. IoT’s are free from human intervention by and large.

This means the patient carrying the device is completely removed from interacting with it on any level. Most of the IoT medical devices are used strictly for monitoring, data collection and medical dispensing. They are passive because the medical professionals are looking for a true a baseline as possible and is only effective when the patient is at ease with or completely unaware of the device. This lack of concern in cyber security for medical devices is the problem.

ISSUES AT STAKE

The information transmitted, no matter how insignificant at the time, could be used to gain identity information. The IoT’s are often coded to the patient with a name, number and medical coding information. All that would be needed is access to the information on the device, and personal, private information is available. This includes social security numbers, medical information and possible fiscal information to boot. This compromised information is enough to wreak havoc on a medical practice, hospital or medical equipment distributor – if not all of them in conjunction – all because of a HIPAA violation.

​Solutions for IoT Medical Devices Cyber Security

While computers have software to keep them from attacks, these medical devices do not. There is scant little that can be done if malfeasance is intended. A skilled and determined computer hacking specialist with the understanding of IoT’s can quickly and easily undermine its basics. Doing so would cause serious issue with the medical professional monitoring the patient and for the patient, who could, as a result, receive incorrect treatments and/or medications. Unable to track the information back to a source, this could potentially open a flood of medical malpractice suits, and there would be little the medical professional could provide as a substantial defense.

POTENTIAL SOLUTIONS

Medical administration in conjunction with information teams and network security specialists should realize there needs to be a move from the “Internet of Things” to “Security of Things” to protect themselves, their practices and patients from hacking. There are a few things that could be considered.

DATA ENCRYPTION

Safe and secure encryption should be on the forefront. As more and more medical practices move from paper to online and cloud patient records, the same can be said for IoT’s. Signed contracts with network encryption professionals about software and the devices themselves should be a first step. Each contract to include audits, verifications and regular testing to ensure the validity and security of the data on the IoT.

​​​​AUTHORIZED DEVICES

A Holter monitor is one of these IoT’s. Its purpose is to collect a 24 hour EKG for cardiac patients in various settings for the best possible heart function in normal settings. The contract should provide for each device to collect only the necessary information and nothing more. Systems that download, read or output the information is additionally a part of the contract.

To address needed IoT medical devices cyber security, the device should be built in a such a way that any tampering of any sort is quickly noticed and/or built in such a way that the device immediately informs the medical professionals. Patient contracts protecting the device is also a sound idea.

The physical security of the device itself also should not be overlooked. The device should be configured to prevent data storage media from being accessed or removed, and the device itself should not be easily disassembled. In short, building a strong security to protect data during transmission is undercut if the data can be removed from the device itself. 

CREDENTIALS

No one but a medical professional can dispense medical advice, so only those who will be reading the results need access to the data contained thereon. All information should only be retrieved under a secure server under select passwords. Focusing on cyber security for IoT medical devices, only the absolutely necessary individuals outside of those interpreting the data need access to any element of the entire procedure.

PERSONNEL

dispensing IoT medical devices cyber security

Proper training for every step only makes sense. All medical professionals are bound under an ethics code with severe penalties for infringement.There have not yet been any serious attacks on medical IoT’s.

When will it happen is the question. Ideally, every possible step should be covered; however, there is no guarantee of anything until an attack.

What are your thoughts and opinions on the issue of IoT medical devices cyber security, and what steps in addition to those mentioned would be a necessary part?

 

Mobile BYOD Security IT Best Practices

Mobile BYOD Security IT Best Practices

Mobile BYOD security is always an issue for IT and security.  Going online increasingly means going mobile. "There's an app for that" is the truth these days. Unfortunately, mobile device security brings the same set of concerns that full computer and cloud systems are battling – threats, hacking, and ransomware.

The biggest security threat to mobile devices that is not found in desktops or servers is that very mobility. In mid-2015, 2.1 million Americans reported their mobile phones lost or stolen according to Consumer Reports.  That's a drop. Add tablets and the count is higher, but still less than what it has been. CR doesn't try to say why the number of missing devices is down.

Mobile BYOD Security in the Work Environment

The ability to wipe data or lock down a smartphone was considered high end security. Apple led the pack in that kind of security, but even the vaunted iPhone was hacked. It's probably easier than you think. "More than 86% of Apple iPhones in the world are apparently still vulnerable to a security flaw that allows a hacker to completely take over the device with just a text message, according to data from mobile and web analytics firm MixPanel," said a report at Business Insider.

It does not matter if your work environment is BYOD or company-supplied. Once the mobile device is gone, expect it to be hacked.  Think a remote wipe of the mobile device is going to protect your information? It won't. A quick google on "recover lost data from smartphone" turned up plenty of companies selling information-recovery software.

YouTube also has plenty of videos teaching people how to recover files from a smartphone. While these tutorials are aimed at helping someone find and restore "lost" photos or text messages, there's not a real difference between a picture of someone's kids at the park and a file with a client's payment information. Data is data.

Some of these ideas are worth adding to your company's mobile BYOD security policies.

  1. Lock it. Set a strong passcode or password on company-supplied devices. The more numbers used, the better. Get the IT staff to set passwords or codes. A lot of employees, if allowed to do it themselves, will choose something simple or something personal like a birthday for numbers or children's names for passwords. For BYOD either limit access to sensitive information or have IT set strong codes for access to those files.
  2. Auto erase after failed unlocks. Restoring deleted data is cheaper than covering losses from a hack.
  3. No public charging stations. Viruses and malware at public charging stations have been around for years. CNBC said the problem is getting worse.  “Here is how it works: The cybercriminal needs to hide an HDMI [high-definition multimedia interface] splitter and recorder in the charging station. Most smartphones are now HDMI-enabled so you can share images from the phone onto a TV. Once plugged in, the station uses the built-in HDMI to record everything done on the smartphone without the user's knowledge."

None of these are guaranteed to stop a dedicated hacker when it comes to mobile device security.   But they will frustrate someone who stole the phone or tablet and hoped for an easy score. They can also create enough of a delay for you to lock out the device from your system and alert any customers whose information may be compromised.

Enable Stronger Mobile BYOD Security

The US Computer Emergency Readiness Team (CERT) says mobile hacks are steadily climbing. The report lists things to do to protect mobile devices.  CERT's best security ideas are:

 

  • Don't put sensitive information on mobile devices. May not be practical, but this is the best mobile BYOD security policy.
  • Limit the type and number of apps allowed on a mobile device. For a BYOD, this could be problematic. If you are in a BYOD environment, have the employee sign an agreement allowing the IT department to lock company information and restrict access to it.
  • Step up the basic access to the phone with longer pass codes and more complicated passwords.
  • Disable Bluetooth, infrared and Wi-Fi.

Mobile BYOD SecurityMobile may not be part of your company's business model right now, but it is coming.  If you already have it, what are you doing to make things secure? What's in your company's written mobile device policy?  How do you enforce it? How do you monitor the devices, especially if you are BYOD?

Having issues with recruiting cyber security experts with deep experience in wireless protocols, mobile networks, mobile security apps and BYOd security?  Click below to ask NextGen how we can solve recruitment issues and deliver the right candidates for hire.