The IoT and Healthcare's State of Emergency

Organizations have adopted IoT technologies to cut costs. Now it's time to consider the cybersecurity that can protect them as business investments, too.

Last month, a federal task force expressed concern that healthcare—the most breached of all industries—was gravely behind in adopting technology to properly secure data. Why sound the alarm? Attacks increased by 320% from 2015 to 2016, during which 90% of healthcare organizations suffered breaches.

The Internet of Things (IoT) also complicates how companies protect themselves. In healthcare, IoT technology significantly reduces spending (by as much as $305 billion, according to estimates) by streamlining office administration, accelerating patient-data sharing, and bringing efficiency to diagnosis and treatment.

Sharing data is core to the medical field, but that also creates several more attack vectors for hackers. In fact, IoT devices can be found in more than 90% of healthcare networks. In the cases of ransomware, which accounted for 72% of healthcare attacks last year, thieves leverage the sensitivity of patient information. (The WannaCry global attack was the most recent example of this.) Network invasions can compromise record access or in worst-case scenarios, disrupt patient medical devices.

Although the IoT is modernizing medicine, facilities are still hindered by outdated systems with un-patchable security holes, a lack of security experts, and tight budgets. It is now detrimental that healthcare companies view comprehensive security through a business lens, in the same way that IoT devices have been perceived as cost-effective upgrades.

Writes the Healthcare Industry Cybersecurity Taskforce in its June 2017 report, “These organizations often lack the infrastructure to identify and track threats,” the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”

medical IoT security

This includes tech-savvy institutions that have adopted popular solutions such as SIEM systems. Not only do they require skilled IT staff to operate them, SIEM systems plague security teams with alert fatigue and blind spots. The solution to their woes is not much different from how IoT remedies operational issues: Centralize the data.

This is essentially what a SIEM system is meant to do, but rigid thresholds that flag threats create a flurry of false positives. If that valuable reservoir of data (as well as those from other security investments) is integrated into a security-analytics platform, however, a healthcare institution’s security posture will improve. And if those analytics are run using machine learning, that posture strengthens exponentially.

This is important, because healthcare’s abundance of data is its blessing and its curse. The Identity Theft Resource Center reported that nearly 16 million personal healthcare records (as opposed to overall data, which is a much higher number) were compromised last year, even though this industry suffered fewer overall breaches than the business sector. In other words, criminals get more bang for their bucks by hacking healthcare companies.

The industry is a major target because it’s not only data-rich, but comes with an inflated dark-web price point. Earlier this year, Forbes reported that a social-security number will get you 10 cents on the black market, a credit-card number will reap 25 cents, but an electronic medical health record (EHR) “could be worth hundreds or even thousands of dollars.”

Machine-learning analytics overachieve when given heaps of data. Precision and speed of threat detection grows astonishingly. Meanwhile, the intelligence that comes from analyzing big data advances risk management. Security experts know this. But it’s the executives running healthcare companies that must arrive to this conclusion, stat.