Priyanka Upendra: Understanding MIoT Security

The Internet of Things (IoT) is described as a network of physical devices that uses connectivity to enable the exchange of data. These IoT devices are not necessarily intricate technological advancements. Rather, they streamline processes and help healthcare workers complete tasks in a timely manner. IoT-enabled medical technologies, also referred to as the medical IoT (MIoT), provide and assess critical data that assist healthcare workers in making informed decisions.

While the benefits of these IoT-enabled medical devices are innumerable, the same devices carry potential cybersecurity risks, perhaps even more than non-IoT-enabled devices. Like many other computer systems, they are vulnerable to breaches potentially impacting safety and effectiveness of the device and its users.

The IoT has come a long way and in the recent years, we’ve seen its exponential growth in the healthcare space. With this increased use of the MIoT, healthcare technology management (HTM) professionals need to keep up with and adapt to working with new technologies to manage them efficiently. One way to manage these MIoT devices efficiently is through an automated and intuitive technology solution.

There are many vendors in the information technology world that offer these services. The industry has progressed so much that you don’t even need physical devices to install these solutions. Much of it can be done through virtual machines and on the cloud. This software passively scans the network without disrupting the devices or network activity. They parse the network metadata to automatically classify, manage, and safeguard MIoT devices.

The network metadata/NetFlow data is literally “data about the data.” Analyzing this network metadata can reveal interesting information about your network and uncover misconfigurations, policy abuses, operational devices, operating systems, hypervisors, databases, tablets, phones, web servers, cloud applications, and security incidents—all of which are very hard to do while managing MIoT devices in the more traditional manner.

There are tools available to network security analysts that help decipher the vast amount of network metadata. For example, vendor solutions will do the work of a network monitor (NM) and log correlation engine (LCE), both of which run on a system that is connected to a network span port. This system listens to all the network traffic and reports on the connections.

Typically, the network interface is connected to a SPAN port on a switch, which allows it to see more than just its own traffic. The beauty of these vendor solutions is that they can be installed on any supported operating systems. Prior to installation, you can configure it to select the appropriate network interface and select the server to send the data to. You can also specify the networks to include or exclude from monitoring.

All this said and understood, here’s a summary of responsibilities for HTM professionals so we can keep up this exponential growth of technologies in healthcare:

  • Participate in policy and procedure development and refinement as applicable to MIoT.
  • Take a seat at the governance committee that establishes standards, best practices, and evaluates technologies for compliance.
  • Understand vulnerability management and work with IT pillars to establish a process that is easy to implement and sustain.
  • Get familiar with Department of Defense data destruction techniques, learn about the tools that information security professionals use, and educate HTM staff on its relevance and application.
  • Participate in supply chain and clinical activities that discuss clinical workflows, medical technologies that clinicians want to purchase, and evaluating contracts for data and system security as well as maintenance management.
  • Participate in risk management and legal activities as applicable to MIoT.

This is a new and exciting challenge for all of us in HTM, and we have fantastic vendor solutions to manage MIoT devices as well as close-knit IT partners that are willing to help us learn.

For those thinking of vendor solutions or even working through proof-of-concept implementations in a healthcare delivery organization, you’ll want this tool to have the ability to:

  • Identify and manage virtually any number of MIoT devices, as well as keep track of new additions to the network along with affected data flows.
  • Extend the existing risk assessment program to MIoT devices and manage risks posed by legacy devices.
  • Monitor the health of the MIoT devices almost real time.
  • Identify insecure configurations, non-compliance with policies, security events, and incidents in a timely manner, as well as aid development of secure management strategies.
  • Produce meaningful compliance reports and add intelligence to asset management practices.
  • Assess device utilization to enhance maintenance strategies and predict failure events.
  • Integrate and parse data from network access control (NAC) tools, security information and event management (SIEM) tools, and computerized maintenance management systems (CMMS) that will help streamline workflows and provide efficient documentation.

Several technology vendors offer the above and more, so it can be overwhelming and even tedious to select a solution that fits all these needs and wants. While the technical capabilities of most of the platforms are on par with each other, what really helps them earn purchasing decision “brownie points” are their ability to provide:

  • Continuous engagement with regular updates.
  • Superior quality customer service through technical and project support.
  • Ease of implementation for a proof-of-concept and a full-scale deployment.

I find it interesting and impressive when vendors are open and authentic about their ideas, experiences with prior implementations, and the lessons learned. I think it relaxes the skepticism by helping to establish trust. In a partnership, that goes a long way!

Priyanka Upendra is compliance program director at Banner Health and a member of the AAMI’s Technology Management Council, Awards Committee, Nominating Committee, and BI&T Editorial Board and an Executive Board Member of ACCE.

4 thoughts on “Priyanka Upendra: Understanding MIoT Security

  1. For me, a key question is, the healthcare technology digital infrastructure is becoming more and more like a house of cards. Let’s think about not building it higher than we can safely fall off it. And, let’s remember that for BMETs we are on the front lines, and caregivers look at us for solutions in real time at the bedside. Remember to give BMETs the knowledge and tools to effectively deal with questions failures and outages, and require OEMs and developers to provide robust tools and service manuals to support the technologies that in turn enable caregivers to serve patients

    • Scot – I couldn’t agree more! We are taking on more technology that we are ready to support and manage throughout its life cycle. That is why I cannot stress the importance of having HTM professionals involved with clinical and finance while making those decisions to adopt new and fancier technology that enhance patient and clinical workflows. Also the importance of BMET and HTM education in overall cybersecurity management of healthcare technology is understated. At Banner, we are now doing cybersecurity tabletop exercises every month and have a year long schedule that includes our HTM folks. This is so we can get acquainted with the anatomy of a cyber attack and do’s and don’ts all through it. This is something we will also share at MD EXPO and AAMI this year, hopefully we will see more discussions that aid the tactical-doers rather than just the discussions confined to a conference room.

  2. While there are many claims about the value of connectivity the question should also be asked “Does this device being on the network really enhance patient care?” If the answer is no then a non-networked configuration or alternative may be appropriate. While protective solutions may be available it remains the case that the more things that are connected the greater is the risk of hacking and related misadventures.

    • I completely agree, I think HDOs need to partner with clinicians on assessing the clinical workflow/ dataflow so things are connected only when a workaround really causes a problem to the clinical workflow. Like I said, there are greater risks with connectivity than opting an alternate workflow, but again all stakeholders need to make a collective decision on that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s