How to Keep Medical and IoT Devices Secure in Healthcare
During the pandemic, many healthcare workloads became remote, and organizations were forced to extend their networks, increasing health systems’ attack surface. Some of the workloads have stayed remote, and with new tools such as generative AI entering the landscape, maintaining a secure environment is becoming trickier.
“With generative AI, you can ask for a guacamole recipe as easily as you can upload patient data,” said Ravi Monga, CISO for healthcare at Zscaler. “The threat landscape is changing and evolving.”
Ismelda Garza, CIO of Cuero Regional Hospital in Cuero, Texas, explained that she learned early in her career that people are the hardest part of the job. Being able to educate people about security best practices — from the board and leadership to nurses, clinicians and physicians — is critical to preventing successful attacks.
However, Monga said, one problem he often sees is that education only flows one way. IT reports on risk to the CIO, and the CIO reports it to the board, but that information doesn’t flow down to clinical staff.
READ MORE: How can health systems re-evaluate employee security training?
“That bridge needs to be built, and clinicians need to be part of the conversation,” he said.
Medical devices and Internet of Things devices play a big part in the risk equation. Laptops, servers, desktops and nearly all IT devices are protected with robust security software, but medical devices are more difficult to protect. Some may have been created by businesses than went out of business over a decade ago. If patches are available, biomedical teams may not be ready to push a patch and face downtime, according to Monga.
Monga said to think of a hospital as a house: Attackers will come to the front door, see there’s adequate protection and will find a less protected entrance to use. Devices such as infusion pumps and smart TVs are often not protected or patched, providing an easy entryway for attackers. Taking those devices offline usually isn’t an option since clinicians need their information. As a result, those vulnerable devices give access to bad actors, who can sit in an organization’s network undetected until the right opportunity presents itself.
