Secure IoT in Healthcare – We don’t sell crazy here

Share Post


Like the norovirus, the spread of IoT in healthcare has reached a technical pandemic.  According to a new study released by Research and Markets, the IoT healthcare market is expected to grow to USD 163.24 Billion by 2020. Much has been said and written about the future possibilities of IoT in healthcare, like the use of new wireless heart monitors, Bluetooth enabled blood pumps and more. Even digital imaging and iPads, while common in many facilities are not common to all. These developments and new products tied to the Internet of Things, speak to an enhanced, forward thinking, intelligent panacea of IT enabled healthcare.

But the facts need to be put before the utopian horse, not the cart. Much of IoT sits on a set of protocols that originated with the internet itself, but we currently lack a common IoT framework. Nor have we agreed on common methods for making IoT devices work, or ways to possibly secure them. The focus for IoT has been enablement, not security, as we find a large number of devices that will not support secure 802.1X security standards.

Many existing healthcare devices are limited in how they can connect by simple functionality. For instance, blood pumps might feature a battery, but it's for emergency operation, not sustained usage – you don't want to be the patient with a dead battery. So that battery cannot be used to monitor the usage or location of the blood pump. This is a device not ready for Wi-Fi connectivity or Bluetooth enabled IoT. Older and still valuable equipment does not have the EM (Electro Magnetic) shielding to permit their sustained usage in a Wi-Fi environment, so the standard connectivity method remains a Cat5e cable.

But given that there are new IoT devices in healthcare, it's vital for infrastructure managers, to be able to profile and assign a policy to these devices to securely permit their access via wired or Wi-Fi connectivity. Because in any environment, but particularly healthcare we don't want anything connecting to the network that we can't identify. Not to mention, HIPAA forbids it. And a good sense of responsibility and governance requires it.

If we agree the rate of change and IoT growth is truly exponential, investment needs to be planned for integrating devices that we don't yet recognize. We need to be able to allocate security and network resources to an unknown device. To ensure visibility and policy control of these unknown IoT devices, Aruba ClearPass includes a Device Profiler.

This allows us to ascertain what a device is, not based solely on its easily spoofed mac address. It means we can make sure that a blood pump is a blood pump and not a hackers' laptop intent on encrypting your storage platform (as recently seen at a Californian health care provider). It also means we can tell the difference between a consultants' BYOD iPad and a patients', making sure that the right one securely gains access to patent records and the other can watch the new season of Orange is the New Black.

If you would like to learn more about how we helped Sutter Health, Boston Children's Hospital and many, many others face and solve these issues, get in touch.