March 4, 2017

Bob Hooper • Vice President of Sales

Reasonable Security for the Internet of Things

Whether you know it or not, your hospitals are being inundated on a daily basis with devices that want to communicate over your networks and the Internet. As you bring in and install new equipment (medical devices, payment processing machines, etc.), many of these devices have the ability to send and receive data over your network and outside of it, as they are part of this “Internet of Things”. This represents a point of vulnerability for your network. You need to take action to make sure that these devices are not going to be an entry point for a breach at your organization.

internetofthingsIn its Breach Report issued this past February, the California Department of Justice made the following statement: “the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

On average, more than one healthcare facility is being breached per week in 2016. As the Internet of Things (IoT) brings better, faster and more mobile care to facilities, it also brings greater breach risk. While many facilities have begun to address security risks to their basic infrastructure, few have taken on the challenge of securing these extensions to the facility’s threat surface.

Drawing on the recommendations found in the Critical Security Controls, here are five key questions to answer with regard to your organization’s growing IoT:

Do you have an inventory of Authorized Devices on your system’s network(s) and can you automatically detect the addition of an unauthorized device?

While this is an important question for all devices on your network, it is of particular importance with regard to IoT. With the varying levels of information security maturity contained in these devices, organizations must deploy technology that tracks the entirety of IoT devices deployed in order to gain a good assessment of the risk level that they present, and to gauge how that risk level changes as devices are added or replaced.

Do you have baseline information on, and control over, the version of software and firmware running on your IoT devices?

Identifying secure baselines for the software and firmware that are running your facility’s IoT devices is critical to both creating a safe operating environment and to detecting when malicious activity violates that safe environment. Oftentimes, IoT software/firmware is fully updated with a new version rather than simply being patched. Knowing whether command and control systems can be used to administer these updates or whether the updates are delivered manually, can help keep track of versioning. Where possible, digital signatures should be evaluated by the IoT devices before loading to ensure that images are secure.

Do you regularly schedule vulnerability assessments and follow-on remediation activities?

Vulnerability assessments on operational systems are likely to be risky endeavors. Where possible, test environments or sandboxes should be established. IoT vendors or collaborative communities such as an Infor-mation Sharing and Analysis Center may also have test laboratories that can be accessed to look for vulnerabilities in IoT devices.

Do you control the use of Administrative Privileges on IoT devices?

Some IoT devices include administrative accounts for management and maintenance of the device. For these devices, account assess should be extremely limited, and protected with strong authentication. For devices without administrative access, additional physical security measures are recommended to prevent localized tampering.

Do you generate, monitor and analyze audit logs from your IoT devices?

Since IoT devices are typically designed for high reliability, the often have sufficient logging capability. The challenge here is to capture this log data and integrate it into the enterprise’s Security Information Event Management (SIEM) system.