The Internet of Things holds great promise to improve our health and wellbeing. Internet-connected infusion pumps, imaging machines, blood-glucose sensors (and myriad more devices) can automatically share valuable data to a person’s electronic health record. That said, with new devices comes the need for speed and manageability, which requires careful network planning.
Security needs to be front and center
Hackers continue to dominate the headlines, as they expose vulnerabilities across verticals. Healthcare providers hold some of the world’s most sensitive information—medical records—making them a particularly high-value target.
Reporters at Computerworld recently demonstrated the risk of “medjacking,” where hackers are able to exploit Internet-connected medical devices, such as infusion pumps, to administer deadly levels of an otherwise helpful drug into an unsuspecting patient, without triggering an alarm to medical professionals.
The network represents one of the largest avenues of attack, and every possible effort should be made to secure it.
On some legacy networks, people can connect devices without prior authorization. In the most extreme cases, healthcare administrators admit they have no idea exactly how many devices are accessing their network at any given time.
Attacks come in many forms—from the so-called ‘Sneakernet’ via USB keys to infected devices brought from home by oblivious patients or employees.
Another major challenge is that Internet-connected devices and end-user applications are evolving faster than the legacy network. The traditional approach of securing the Internet gate with a firewall isn’t enough. Once a device is connected to the network with an IP address, all other devices on the same network segment can be easily exposed (and possibly hacked), as many administrators of hacked environments have learned the hard way.
Software-defined networking represents a crucial layer in a multi-layered security plan. Traffic dynamically flows across the network, picking the shortest path to its destination. The network can be easily segmented into areas that remain invisible to devices on the edge. One physical network can create numerous virtual networks on the fly. Network connections open as approved devices connect, and dynamically close as those devices are disconnected. Getting a complete picture of every device on the network at that moment is a single click away.
Reducing the size of the network footprint and obscuring the network core can provide important, added security benefits.
Segmenting and filtering are crucial
By segmenting the network at the routing table level, data can be filtered and contained to flow from approved devices to pre-defined applications. Without segmentation, all devices in a single, flat routing table, can communicate with all other connected devices and users.
In a healthcare setting, does the network that transports data from the MRI machine to the electronic health record system need to share the same path options as the payment card system? No. By segmenting the network and isolating various systems, you create additional protections against a single intrusion infecting multiple systems.
To quote the lead hacker at the NSA, who recently gave a presentation on how companies can protect themselves from the NSA: “Segment networks and important data to make it harder for hackers to reach your jewels.”
All this together helps secure the network from an arbitrary number of edge devices creating an exponentially insecure network– leading to a more secure edge. This becomes more important in a software-defined perimeter approach to securing the edge, with a central policy and filtering enforcement model, as well as segmenting it from other network services.
Automation ties it all together
Implementations where security requires too much effort or results in added complexity often fail, because the human element gets in the way of the need for a quick deployment. How many times have shortcuts and the human element led to failures in systems? Automating connectivity of Internet-connected devices means security is simpler and far easier to implement.
It’s not all about automating the connection to the edge; healthcare providers need to make sure their system puts devices and users into their proper virtual network segment and have the proper profile rules enforced. That way, administrators can prevent devices from becoming points in a myriad of concerns to the future of the organization.
I hope to see you at HIMSS 2016, either at booth #11325, or at the session “Internet of Things for Healthcare” (March 1 from 1-2 p.m.), where I will be presenting with Eric Miller of Ascension.