- Healthcare organizations integrating more Internet of Things (IoT) devices into their network are also charged developing strategies for managing those tools that include tools, IT administrators, and end users.
A recent Zingbox survey revealed that healthcare organizations may be overconfident in their IoT security because they lack visibility over their connected device network.
Most health IT professionals feel confident that their connected medical device network can withstand most cyberattacks.
Seventy-nine percent of respondents say that their IoT devices contain information that would make them vulnerable to cyberattacks while 89 percent are confident that their devices are protected against cyberattacks. Sixty-nine percent said that they feel the traditional security solutions they use for laptops and PCs are adequate for IoT devices as well.
“Most organizations are thinking about antivirus, endpoint protection and firewalls, but there are many devices, like medical monitoring equipment, and no one is thinking about securing them,” said Jon Booth, Bear Valley Community Hospital District IT director. “Generally, medical devices are not replaced for at least 10 years, with many running old software that has not been updated or patched.”
Legacy hardware and software can be some of the most dangerous threats to health IT security and can drain IT budgets. Legacy solutions are not built with future tech advancements in mind which leaves them ridged and unable to adapt to evolving IT environments.
Legacy processes for protecting and tracking IoT devices can also leave networks vulnerable. The majority of survey respondents are confident in their tracking accuracy of IoT devices despite relying on manual audits.
Sixty-four percent said they rely on some kind of manual room-to-room audit to track connected device inventory and only 21 percent said their IoT devices receive preventative maintenance based on usage.
More than half said that clinical and biomedical engineers that are the end users must physically walk over to the device to see if it’s in use before scheduling repairs. This can be a significant waste of time if the device is in use and can take clinicians away from their patients.
“Despite the recent progress of the healthcare industry, the survey exemplifies the continued disconnect between perception of security and the actual device protection available from legacy solutions and processes. Unfortunately, much of the current perception stems from the use of traditional solutions, processes and general confusion in the market,” said Xu Zou, CEO and co-founder of Zingbox. “Only by adopting the latest IoT technology and revisiting decade-old processes, can healthcare providers be well prepared when the next WannaCry hits.”
Health2047 Managing Director of Technology Charles Aunger also used WannaCry as an example of legacy technology leaving healthcare networks vulnerable.
Many organizations did not update their Windows operating systems with the patch Microsoft released after the attack to prevent further damage.
“Healthcare organizations around the world were saying things like, ‘we didn't apply the patch because it wasn't broken,’” Aunger explained to HITInfrastructure.com. “But it was broken. Microsoft defined it was broken.”
Healthcare organizations are often not quick to upgrade operating systems. WannaCry brought this issue to the forefront. Some organizations couldn’t install the patch because they were still running machines on Windows XP, which forced Microsoft to issue a separate patch.
Many health IT departments see a legacy solution that isn’t broken or malfunctioning and adopt a “if it ain’t broke, don’t fix it,” attitude which can cause serious problems down the road. While this attitude could be harmful, it’s not unfounded and it doesn’t stem from bad intentions.
Healthcare organizations are often faced with strict budgets making adopting new tools difficult. Many advanced health IT infrastructure solutions will give organizations a higher ROI over time, but fronting the cost to implement them can be difficult.
Compliance also factors into this attitude. IT administrators know that the machines in place are already compliant. Taking these legacy machines out and replacing them requires certification that takes time and resources.
Changing health IT systems may also take a toll on staff. Many advanced tools and machines, like cloud or IoT devices, function very differently that legacy tools and machines.
“Organizations spend a lot of effort continually trying to re-engineer legacy systems that are broken,” said Aunger. “Change is hard. Changing applications, upgrading features, and upgrading functionality takes time.”
Organizations that are overly confident in their legacy solution’s ability to protect IoT devices from cyberattacks will begin to realize that new defenses need to be built. While necessary, this project may seem overwhelming.
“Organizations are trying to bite the whole apple instead of breaking down upgrades into smaller, projects that are easier to digest,” said Aunger. “They tend to see the whole technology system as one big heartbeat. They think, ‘if it isn't broken, don't fix it and don't break it.’”
There is tremendous pressure on health IT departments when they’re faced with tools they know are underperforming because they’re old and the risk involved with installing new systems.
“Most IT employees worry about changing something just for the sake of changing it,” said Aunger. “When you really get down into the situation, their worry is more about the impact and the systems going down than actually breaking.”
Organizations should weigh security risks against potential threats when assessing their security infrastructure to support connected medical and IoT devices.