The 6 Riskiest IOT Devices in Healthcare with Solutions

Based on the linked article, Armis states the six riskiest devices are: IP cameras, printers, VOIP phones, nurse call systems, infusion pumps, and ADS cabinets. Risk is defined as unpatched common vulnerabilities and exposures. They don't offer a solution to this beyond the implied solution of patching the vulnerabilities but there is more to this issue. First, yes, if it can be patched, it should be patched and up to date to plug the holes in the dam, but:

1. What if a patch is unavailable? This is where proactively choosing a vendor in healthcare IT is critical. Not only does one need to ensure the hardware meets business requirements but included in the technical requirements should be a review of the release schedule for vulnerability patches. In a fast moving IT market, if the vendor strategy is to release new models vs patching old models, perhaps a 1 year depreciation on that capital purchase is warranted and you will need to budget replacement and redeployment each year. Ideally, select vendors that support their legacy products and take vulnerabilities seriously.

2. What if each device needs to be touched to update them? If you deploy 100's or 1000's of devices and they each need to be touched to update firmware, you need to factor that into the long term cost of running those devices. This was/is a common issue with infusion pumps that don't have a robust centralized control system. Some may be able to update their libraries over their network but for patches, each device needs to be taken out of service, returned to biomed to update, and then returned - a lengthy, resource intensive, and error prone process. Instead, opt of devices that can be controlled, status checked, updates, and validated via a central control system.

3. Unsupported OS versions? Devices such as an ADS (automated dispensing system) are expensive capital purchases. In the early 2010's, the big debate was to either buy or lease the cabinets - this was largely a CFO-driven decision on whether to budget them from a capital or operating perspective. With those cabinets running on Windows 2000 or NT, many organizations that chose the buy route were stuck with not just unpatchable systems but unsupported systems. With one-third of ADS cabinets reported to be running an unsupported OS, I have to wonder if organizations are either trying to stretch capital dollars or if there is a secondary market for these cabinets.

Ultimately, this article provides a good roadmap for an IOT checkup project. This is and is not a cybersecurity issue. It is from a vulnerability standpoint, but it is not from a solution standpoint. The solution lives in IT purchasing practices and good IT process controls with patching.

https://lnkd.in/gPRnC7nx

Need help? Here is a simple methodology for remediation:

1. Determine outcomes, set up governance of affected stakeholders, assign a PM
2. Inventory devices in each category
3. Assess variants of the devices and compliance with patching/vulnerabilities
4. Patch affected devices
5. For devices unable to be patched: Document security risks and develop active monitoring programs, plan for decommissioning and selection of replacements.
6. Retool patching responsibilities, policies and procedures to prevent the need to repeat this catch-up project.
7. Refine future purchasing requirements to minimize future exposure.
8. Document outcomes and value to organization on decreased risk.

Don't have the resources to do this on your own? Contact me and we'd be happy to partner with you.

#cybersecurity?#healthcareit?#healthcareconsulting #armis #divurgent