Healthcare's 'Internet of Things' should be the 'Security of Things'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/healthcares-internet-things-should-be-security-things

Mobile devices in healthcare institutions are giving rise to new data
security and liability risks. Connected devices – another way of describing
"The Internet of Things" – present many of the same security and privacy
breach rises aspects, and even greater risks because the devices are
designed to act automatically without active human direction.

Six fundamental questions therefore need to be asked about connected
devices.

1. Do the devices store and transmit data securely?
2. Do they accept software security updates to address new risks?
3. Do they provide a new avenue to unauthorized access of data?
4. Do they provide a new way to steal data?
5. Do they connect to the institution's existing IT infrastructure in a way
that puts data stored there are greater risk?
6. Are the APIs – through which software and devices connect – secure?

Healthcare technology officers, including Chief Information Officers (CIO),
Chief Technology Officers (CTO), Chief Information Security Officers
(CISO), healthcare data administrators such as the Chief Data Officer (CDO)
and Chief Medical Officers (CMO) managing a medical world of connected
devices should be focusing on these questions before they enter into
agreements with vendors, outsourcing providers and related institutions.
These executives and need to recognize that connected devices and the
"Internet of Things" should be the "Security of Things."

Accordingly, existing contracts need to be reviewed and modified to provide
the requisite vendor security obligations. RFPs for new contracts should
require potential vendors to identify how security will be provided for the
Internet of Things. New contracts should be structured to provide the
security provisions that the Internet of Things requires.

Data encryption

In setting up connected device systems, healthcare institutions' agreements
with vendors (including cloud services providers) should ensure that data
traffic of the device and its software application is encrypted when
communicating the institution's private network and those of its
outsourcing providers and any cloud systems. The contracts should allow the
institution to audit, and require the vendors to periodically verify, that
the data is transmitted in the appropriately strong encrypted form and the
encryption works on the network.

For example, an audit revealing that data is transmitted in "clear text"
indicates that contractual encryption requirements are not being followed.
Moreover, given the complexity of healthcare institutions, it is important
that industry standard encryption protocols are used so that all connected
devices connect securely. Encryption protocols that are proprietary to a
single vendor should be avoided.  The collection and transmission of
personal healthcare information, even in aggregate form, without such
protections can lead to compromise of the privacy of the data and potential
legal liability for the institution – especially if the information is
stolen or used for unauthorized purposes by unauthorized parties.

Authorized, secure devices

How can privacy protection be increased? In addition to the use of proper
encryption, the healthcare institution should require in the contract that
only a particular connected device collect only the data that is required
for its intended operation, and that it enables access to data generated by
the device only by authorized and authenticated individuals with a need to
handle the information; the same should be true of computer systems that
handle the data from the device.

The physical security of the device itself also should not be overlooked.
The device should be configured to prevent data storage media from being
accessed or removed, and the device itself should not be easily
disassembled. In short, building a strong security to protect data during
transmission is undercut if the data can be removed from the device itself.


Credentials and password protection

As a matter of setting up a system, connected devices are initially
deployed in a form where insured or well-known default passwords and
usernames are used. After setup is complete and before critical information
is collected and transmitted, the vendor should change the default
passwords and usernames to meet the requirements of the CIO, CISO and CDO.
Most importantly, the steady-state passwords and usernames can withstand
attacks by hackers and the criminal syndicates that employ them. Further,
the connected device network should not be configured in a way that allows
authentication credentials to be exposed in data traffic over the
healthcare institution's network. This is important now that computers
communicate directly with other computers and send and receive information
without human intervention.

Personnel

Computer security consists of hardware, software and people. Disgruntled
and former employees, both of the institution and the vendor and its
subcontractors, can be a source of unauthorized disclosure. Good personnel
practices are important, and repeated audits are necessary to enable early
discovery. This factor is especially important at the computer network
administrator level, as that manager provides an enhanced risk to the
institution.

Conclusion

Finally, healthcare institutions should enter into agreements with vendors
that require the connected devices to be updated with improved security
over time and that the updates are tested and verified before being put
into use. Given the nature of healthcare data and potential legal liability
for resulting data breaches, the "Internet of Things" at healthcare
institutions and the contracts that cover them need to constitute a
"Security of Things."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!