The Internet of Things (IoT) is described as a network of physical devices that uses connectivity to enable the exchange of data. These IoT devices are not necessarily intricate technological advancements. Rather, they streamline processes and help healthcare workers complete tasks in a timely manner. IoT-enabled medical technologies, also referred to as the medical IoT (MIoT), provide and assess critical data that assist healthcare workers in making informed decisions.
While the benefits of these IoT-enabled medical devices are innumerable, the same devices carry potential cybersecurity risks, perhaps even more than non-IoT-enabled devices. Like many other computer systems, they are vulnerable to breaches potentially impacting safety and effectiveness of the device and its users.
The IoT has come a long way and in the recent years, we’ve seen its exponential growth in the healthcare space. With this increased use of the MIoT, healthcare technology management (HTM) professionals need to keep up with and adapt to working with new technologies to manage them efficiently. One way to manage these MIoT devices efficiently is through an automated and intuitive technology solution.
There are many vendors in the information technology world that offer these services. The industry has progressed so much that you don’t even need physical devices to install these solutions. Much of it can be done through virtual machines and on the cloud. This software passively scans the network without disrupting the devices or network activity. They parse the network metadata to automatically classify, manage, and safeguard MIoT devices.
The network metadata/NetFlow data is literally “data about the data.” Analyzing this network metadata can reveal interesting information about your network and uncover misconfigurations, policy abuses, operational devices, operating systems, hypervisors, databases, tablets, phones, web servers, cloud applications, and security incidents—all of which are very hard to do while managing MIoT devices in the more traditional manner.
There are tools available to network security analysts that help decipher the vast amount of network metadata. For example, vendor solutions will do the work of a network monitor (NM) and log correlation engine (LCE), both of which run on a system that is connected to a network span port. This system listens to all the network traffic and reports on the connections.
Typically, the network interface is connected to a SPAN port on a switch, which allows it to see more than just its own traffic. The beauty of these vendor solutions is that they can be installed on any supported operating systems. Prior to installation, you can configure it to select the appropriate network interface and select the server to send the data to. You can also specify the networks to include or exclude from monitoring.
All this said and understood, here’s a summary of responsibilities for HTM professionals so we can keep up this exponential growth of technologies in healthcare:
- Participate in policy and procedure development and refinement as applicable to MIoT.
- Take a seat at the governance committee that establishes standards, best practices, and evaluates technologies for compliance.
- Understand vulnerability management and work with IT pillars to establish a process that is easy to implement and sustain.
- Get familiar with Department of Defense data destruction techniques, learn about the tools that information security professionals use, and educate HTM staff on its relevance and application.
- Participate in supply chain and clinical activities that discuss clinical workflows, medical technologies that clinicians want to purchase, and evaluating contracts for data and system security as well as maintenance management.
- Participate in risk management and legal activities as applicable to MIoT.
This is a new and exciting challenge for all of us in HTM, and we have fantastic vendor solutions to manage MIoT devices as well as close-knit IT partners that are willing to help us learn.
For those thinking of vendor solutions or even working through proof-of-concept implementations in a healthcare delivery organization, you’ll want this tool to have the ability to:
- Identify and manage virtually any number of MIoT devices, as well as keep track of new additions to the network along with affected data flows.
- Extend the existing risk assessment program to MIoT devices and manage risks posed by legacy devices.
- Monitor the health of the MIoT devices almost real time.
- Identify insecure configurations, non-compliance with policies, security events, and incidents in a timely manner, as well as aid development of secure management strategies.
- Produce meaningful compliance reports and add intelligence to asset management practices.
- Assess device utilization to enhance maintenance strategies and predict failure events.
- Integrate and parse data from network access control (NAC) tools, security information and event management (SIEM) tools, and computerized maintenance management systems (CMMS) that will help streamline workflows and provide efficient documentation.
Several technology vendors offer the above and more, so it can be overwhelming and even tedious to select a solution that fits all these needs and wants. While the technical capabilities of most of the platforms are on par with each other, what really helps them earn purchasing decision “brownie points” are their ability to provide:
- Continuous engagement with regular updates.
- Superior quality customer service through technical and project support.
- Ease of implementation for a proof-of-concept and a full-scale deployment.
I find it interesting and impressive when vendors are open and authentic about their ideas, experiences with prior implementations, and the lessons learned. I think it relaxes the skepticism by helping to establish trust. In a partnership, that goes a long way!
Priyanka Upendra is compliance program director at Banner Health and a member of the AAMI’s Technology Management Council, Awards Committee, Nominating Committee, and BI&T Editorial Board and an Executive Board Member of ACCE.