This article was originally written by Avanade alum Gaurav Aggarwal.

In the past our blood pressure monitors and incubators were stand-alone devices. They required individuals to walk to the device, look at the readings, document the data points and report on it. Today these devices (and many more) are connected to networks and the internet, creating not only more efficient processes but improving data accuracy. These create systems with the ability to correlate data across devices and history to provide more insight and improve care. These Internet of Things (IoT) continue to help healthcare providers treat patients.

Thanks to IoT, healthcare providers can deliver and monitor care beyond services provided in a hospital or medical facility. The use of connected care allows doctors or physicians to monitor their patients from anywhere. This frees up space at care facilities and allows people to live their lives ‘in the world.' All while still being able to monitor their health and serious risks.

While this technology has its advantages, concerns do exist particularly due to the interconnectivity involved. Device interconnectivity brings up requirements for data protection, privacy, and the need to secure connectivity while monitoring for risks and vulnerabilities. Healthcare security breaches are a digitally driven pandemic that can quickly escalate if left unchecked. Here are three important tips to help address security for these devices.

Tip 1: Secure the cloud & data
Many of these medical tech systems take data from the devices to the cloud and cloud-based applications. While using or creating your own cloud-based services provides many security benefits, it does not address everything. You are still responsible for many aspects of security, even in these shared services models.

You must know who is responsible for what elements of security. Most likely workload protection and data protection is still your responsibility. But what about compliance with healthcare and privacy regulations? Leverage your company policies for securing the infrastructure and data as if you are hosting the solutions yourself. You will also need to be sure those requirements extend to partners and service providers.

Tip 2: Protect the endpoint
To successfully close the cybersecurity gap, you need a multifaceted endpoint security strategy, starting by improving endpoint persistence and progressing to geofencing. Our recommendation to healthcare organizations is to define their unique approach to endpoint security first using a security platform approach instead of best of breed products and tools.

Tip 3: Minimize third-party (supply chain) risk
Third-party risk is a major problem in the current landscape. About 55% of healthcare organizations suffered a security third-party breach in the past year. Organizations spend a lot of time and money protecting the systems, applications, and technology they control, and often assume that their partners do the same.

This approach means an attacker’s path of least resistance is through a third-party. Attackers will breach the third-party system and then traverse into your system. A recent example took place in Australia where thousands of patients who used a South Australian home hospital service had their personal information compromised when one of the largest insurance providers was hacked by an unauthorized party.

Many healthcare organizations have thousands (or more) of these third parties they are working with. It is critical that you have a program to assess and manage the risks associated with working with them. Managing these needs programs that assess the people, processes, and technology of your partners. You must define security requirements for existing third-party systems as well as for anything new that comes in. These requirements need to be continuously updated. They must remain current with compliance requirements as well as security technology improvements and the threat landscape. This is no small task.

Why do criminals care? It’s all tied together
While IoT devices are not connecting directly to patient records, criminals still use this access point to move to more critical systems in your environment whether that might be a patient billing or medical record system. When this is done, attackers can gain additional intelligence on how these systems work together and help construct an even larger and more dangerous breach.

There is a potential risk to human life. We are predicting that we will see the ‘weaponizing’ of IoT devices soon. One can imagine the implications. Even without the threat of physical harm the value of healthcare data is vastly higher than other data. Health records are used for identity theft, extortion, or worse.

It is important to understand that lack of direct access to records does not mean a system (or data) is not valuable. This is a key point to be aware of, regardless of the solution. Users often don’t think one piece of information is valuable because they don’t consider how hackers will gather bits, like puzzle pieces to achieve their larger goal.

It’s not if, but when…
Unfortunately, for most healthcare organizations, it is not a matter of if they will be hacked but when. At Avanade, we provide a holistic approach, based on Zero Trust principles through advisory, implementation and managed services to evaluate and define your cybersecurity strategy and to continually improve your governance, risk and compliance state.

We help healthcare clients worldwide learn the best methods so that every solution is treated with the same level of care and security.

Contact us today to discover how we can help you keep your organization secure from direct or third-party security attacks.