If you haven’t guessed, I think the “Internet of Things” (IoT) is a game changer for the field (see How The ‘Internet Of Things’ Will Bring New Competitive Advantage To Provider Organizations). But it will also increase one area of management concern in health and human service organizations – data security.
The upside of the IoT is that devices everywhere will be gathering information about you (or the consumers you serve) and sending it to some central data repository. The downside is that devices everywhere will be gathering information about you (or the consumers you serve) and sending it to some central data repository. That’s the issue for data security – there are many more data nodes to keep secure.
Any device can pose a security risk – the Target system hacking last year gained credit card information by exploiting the system that remotely monitored and controlled store heating and air conditioning (see Heat System Called Door to Target for Hackers). Last year a refrigerator was used to send spam after a web attack compromised smart gadgets (see Fridge sends spam emails as attack hits smart gadgets). In another case, hackers targeted a smart light bulb (see Hacking into Internet Connected Light Bulbs).
How large is the threat to health and human service organizations? According to the “2014 SANS Securing the Internet of Things Survey” reported on in the SANS Health Care Cyberthreat Report, “virtually all software, applications, systems and devices are now connected to the Internet….a reality that cybercriminals recognize and are actively exploiting.” And the numbers are eye-catching – 94 percent of medical institutions have been victims of a cyber-attack, including health care providers (72.0%), health care business associates (9.9%), health plans (6.1%), health care clearinghouses (0.5%), pharmaceutical (2.9%), other related health care entities (8.5%).
How to prepare your health and human service organization? There needs to be even more vigilance from IT staff, and a greater emphasis placed on security in an organization’s overall strategy. In his article, The Internet of Things: Top five threats to IoT devices, David Greer identifies four categories of IoT devices that are at risk from attack and should be of primary concern for health care organization compliance officers and security officers – here is what they are, and how I think organizations adopting these technology should prepare.
In-Car WiFi – In-car WiFi turns cars into mobile hotspots and connects passengers smartphones, tablets and other devices to the Internet. If you are serving clients in rural settings, this may be a great tech tool. However, this has the same security vulnerabilities as traditional WiFi hotspots, without the protections. Organizations need to use wireless intrusion detection systems (WIDS) to identify all wireless devices using or attempting to use their system, and detect attacks (see Wireless Access Control).
mHealth Applications & mobile medical devices – This is the obvious one for health care organizations. But while technology manufacturers have traditionally used proprietary embedded systems and closed source code to protect technology, IoT devices are using a form of under-secure Windows. CSOs need to ensure that each wireless device connected to their network matches an authorized configuration, security profile, documented owner, and defined business need (see Secure Configurations for Network Devices such as Firewalls, Routers, and Switches).
Wearable Devices – Many wearable devices automatically connect to the internet, come with very few security solutions, and are hard to track within an organization. If these devices record audio or video, they can record sensitive information that may constitute a compliance violation, or expose confidential corporate information and intellectual property. CSOs need to manage all devices that can log into, or record organizational systems by limiting access, configuring, installing software, and patching all devices to the appropriate security standing (see Boundary Defense).
Retail Inventory Monitoring and Control – Machine-to-machine (M2M) communication is one of the lynchpins of IoT driven efficiencies, which according to Mr. Greer, rely on inexpensive 3G cellular data transmitters. As another access point to the internet, those transmitters are vulnerable to attacks. Hackers can use these devices to manipulate organizational resources (for example, fraudulently purchasing too much of a specific resource). CSOs need to demand their IoT devices come with secure, inaccessible, encrypted frequencies (see Secure Network Engineering).
Not planning to adopt IoT technology any time soon? That really doesn’t matter. If your team members are using laptops, tablets, or smartphones – the same security concerns should be on your radar screen. For more on data security, check out these resources from the OPEN MINDS Industry Library:
- You Can Protect Your Health Care Data, But Are You?
- What Is Your HIPAA Security Score?
- We Were Almost Hacked!
- Ten Tactics to Avoid Penalties for Health Information Privacy & Security Breaches
And, for more on these technology management issues, don’t miss my presentation with OPEN MINDS Senior Associate Sun Vega, Using Technology To Make Community-Based Service Delivery Efficient & Effective: Putting Remote Monitoring, Smart Phone Apps & Online Technologies To Use In Your Organization, at the 2014 OPEN MINDS Technology & Informatics Institute.