Internet of Things (IoT) endpoints, any connected or smart device, are woven into almost any fabric of life, including public health and medicine. For example, IoT can be an implanted device such as pacemakers, insulin pumps, or cochlear ear implants. IoT is also an x-ray, MRI, blood gas analyzer, or Electronic Medical Records (EMR).
These are examples of devices that your organization has most likely not sufficiently protected and EMRs are usually the most under protected. However, they need to be secured due to the personal information hidden inside medical records that are far more valuable than any single piece of data.
In GovLoop's online training, Cybersecurity for Public Health – A Cyber War Game, expert speakers Mike Hager, the Senior Security Architect for Teradata and Sam Harris, the Director of Cybersecurity for Teradata, discussed the importance of protecting public health data.
Economic growth and delivery of care can be compromised if a hacker gets their virtual hands on a patient’s medical records. Hager reiterates how patient information is extremely valuable because “information creates power.”
People behind these attacks have shifted tactics in recent months. Hackers are moving from computer hacks to “medjacks”, a medical device hijack. Medjackers seek outdated IoT devices then build backdoors into these networks that aren't closely monitored.
When dealing with medjacks, Hager says you need to consider four vital questions:
- What is “it” that needs to be protected?
Hager says that it is impossible to stop attacks that you cannot see. Visibility is key to thwarting an attack. Before this can happen, an organization must know what information is most valuable and thus needs to be protected. “It” can refer to Social Security numbers, medical records, and other individual identifiers.
- Where is “it”?
Multiple types of malware look at different data flows and logins. They are trying to invade through any of these potentially open areas on a daily basis. Attacks can come from an organizational or individual level as well as from a research or social point of entry.
Most importantly, these attackers look like legitimate users. They have real user credentials and hide in plain sight. Ultimately, these hackers are looking for the data that might be in “column five of a Teradata database” or a random Excel sheet with names and addresses.
- How do I have to protect “it”?
Blocking these medjackers requires proper planning, identification and control. Hager explains that if a doctor views compromised patient information, they could administer the wrong drug. Consequently, the hospital could face a major allergic reaction, lawsuit or worse.
Hager suggests looking past just complying with federal requirements and focusing more on minimizing risk. Additionally, security teams must be prepared to act in an agile way when there is a hack.
- Who has access to “it”?
Hager finishes by simply explaining that if you don’t know who has access to your network then you don’t know if someone has access that shouldn’t. Therefore, it is critical to monitor who can and is frequently accessing patient information.
Management must ask these questions in order to prepare for any attack. To read about Hager’s top ten management mistakes, check out the first recap blog. Additionally, you can view the entire online training on-demand right now!