IoT security strategy from those who use connected devices

Freeman Health System has around 8,000 connected medical devices in its 30 facilities in Missouri, Oklahoma, and Kansas. Many of these devices have the potential to turn deadly at any moment. “That’s the doomsday scenario that everyone is afraid of,” says Skip Rollins, the hospital chain’s CIO and CISO.

Rollins would love to be able to scan the devices for vulnerabilities and install security software on them to ensure that they aren’t being hacked. But he can’t.

“The vendors in this space are very uncooperative,” he says. “They all have proprietary operating systems and proprietary tools. We can’t scan these devices. We can’t put security software on these devices. We can’t see anything they’re doing. And the vendors intentionally deliver them that way.”

The vendors claim that their systems are unhackable, he says. “And we say, ‘Let’s put that in the contract.’ And they won’t.”

That’s probably because the devices could be rife with vulnerabilities. According to a report released earlier this year by healthcare cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that attackers can easily find online, or are running old, unsupported versions of Windows.

And attackers aren’t sleeping. According to Ponemon research released last fall, attacks on IoT or medical devices accounted for 21% of all healthcare breaches – the same percentage as phishing attacks.

Read full article at Network World.