Whether you know it or not, your hospitals are being inundated on a daily basis with devices that want to communicate over your networks and the Internet. As you bring in and install new equipment (medical devices, payment processing machines, etc.), many of these devices have the ability to send and receive data over your network and outside of it, as they are part of this “Internet of Things”. This represents a point of vulnerability for your network. You need to take action to make sure that these devices are not going to be an entry point for a breach at your organization.
While this is an important question for all devices on your network, it is of particular importance with regard to IoT. With the varying levels of information security maturity contained in these devices, organizations must deploy technology that tracks the entirety of IoT devices deployed in order to gain a good assessment of the risk level that they present, and to gauge how that risk level changes as devices are added or replaced.
Do you have baseline information on, and control over, the version of software and firmware running on your IoT devices?
Identifying secure baselines for the software and firmware that are running your facility’s IoT devices is critical to both creating a safe operating environment and to detecting when malicious activity violates that safe environment. Oftentimes, IoT software/firmware is fully updated with a new version rather than simply being patched. Knowing whether command and control systems can be used to administer these updates or whether the updates are delivered manually, can help keep track of versioning. Where possible, digital signatures should be evaluated by the IoT devices before loading to ensure that images are secure.
Do you regularly schedule vulnerability assessments and follow-on remediation activities?
Vulnerability assessments on operational systems are likely to be risky endeavors. Where possible, test environments or sandboxes should be established. IoT vendors or collaborative communities such as an Infor-mation Sharing and Analysis Center may also have test laboratories that can be accessed to look for vulnerabilities in IoT devices.
Do you control the use of Administrative Privileges on IoT devices?
Some IoT devices include administrative accounts for management and maintenance of the device. For these devices, account assess should be extremely limited, and protected with strong authentication. For devices without administrative access, additional physical security measures are recommended to prevent localized tampering.
Do you generate, monitor and analyze audit logs from your IoT devices?
Since IoT devices are typically designed for high reliability, the often have sufficient logging capability. The challenge here is to capture this log data and integrate it into the enterprise’s Security Information Event Management (SIEM) system.