Addressing the Healthcare IoT Device Security Problem

Stephan Goldberg

Stephan Goldberg

Jul 24, 2020


Remote working is here to stay. A recent Wall Street Journal article reported that “companies across the economy are considering a permanent shift to remote work in the aftermath of the coronavirus,” noting that “LinkedIn recorded a 28% increase in remote job postings and a 42% increase in searches using the terms ‘remote’ or ‘work from home.”

Within healthcare, remote working equates to more telehealth, as physicians conduct virtual consults and visits to accommodate the need to maintain physical distancing. In fact, many experts estimate the global pandemic has accelerated telehealth adoption by almost a decade. A new Frost and Sullivan report predicts that telehealth “uptake will increase by 64.3% nationwide this year.” They go on to “forecast a sevenfold growth in telehealth by 2025, which is a five-year compound annual growth rate of 38.2%.”

Why the move to telehealth matters

The reason that telehealth adoption is so important – beyond changing the way we think about how care can be delivered – is that it increases the attack surface of healthcare delivery providers (HDOs). Every new camera, care robot, or patient monitor creates a new attack vector – a new potential entry point to the clinical network.

Considering the global Internet of Medical Things (IoMT) market is expected to grow to $158 billion by 2022, and the use of general IoT within healthcare is expected to also expand to support facilities and operations, there are a lot of devices that HDOs need to start managing and protecting. Unfortunately, there is no time to waste. Last year, a survey revealed that 82% of healthcare organizations had already experienced an IoT-focused attack. This year, in the midst of a pandemic, attackers have been taking advantage of the chaos to double their efforts – INTERPOL has detected increased cyberattack activity against hospitals around the world engaged in responding to COVID-19.

What can be done to protect health systems from IoT threats?

We just did a webinar, “Protecting Healthcare IoT Devices and Networks,” where I sat down with Russ Shafer, product marketing director of security platforms for Check Point, and Itzik Feiglevitch, product manager for IoT Security for Check Point, to discuss the challenges and solutions available to hospitals to keep their data and operations safe. The main takeaways:

  • Medical devices require clinically-vetted security measures: Many medical devices use proprietary medical protocols that require specialized medical expertise to decode and understand. Often, they have no built-in security, weak passwords, and vulnerable legacy OSes, which make them easy to hack. However, normal security measures, such as patching, scanning, or loading a security client, can’t be easily applied to medical devices, due to their operational limitations. For example, those involved in the delivery of patient care can’t be updated or interrupted, so the timing of any measures need to be carefully planned. What this means is that whatever is used to manage and secure these devices must understand and take into account the clinical context of each device.
  • HDOs need complete IoT device visibility and risk analysis: Every device needs to be discovered and classified to understand at a very detailed level what it is, what it is doing, and what risk it may pose to the organization.
  • All devices need to be managed and protected: Even devices that can’t be immediately patched need to be defended. This starts with preventing unauthorized access and traffic with malicious intent from ever reaching IoT and medical devices in the first place. It is bolstered by network protection, such as zero-trust network segmentation and management that prevents infected devices from compromising other devices and network elements. This takes applying and enforcing granular security rules across the entire IoT network fabric based on device attributes, risks and protocols.

If you would like to learn more about how Check Point and Medigate are joining forces to deliver the capabilities HDOs need to identify the IoT security risks across their network and enforce multi-layered protections at the network and device levels to create a zero-trust security stance, please listen to the webinar or check out Check Point’s press release.