Medical staff misusing internet-connected equipment caused nearly half of all IoT security issues, beating outdated software as the leading concern.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A Zingbox report finds that user misuse of devices is responsible for 41% of the IoT-related security incidents in the healthcare industry, followed by 33% being the fault of outdated software/operating systems.
- Users need to be trained on the security risks of the devices they use, and measures such as IP filtering and network segmentation need to be implemented to reduce risks.
A report released by IoT security firm Zingbox puts the blame squarely on users for security issues associated with medical IoT devices, stating that 41% of those issues were due directly to bad user practices.
Outdated OSes and software account for another 33% of IoT security issues, so asset misuse isn't the only culprit, though it is the largest share.
Zingbox's study focuses on medical IoT, but it isn't only pertinent to the healthcare world—misuse of internet-connected devices is a possibility everywhere.
How medical IoT devices are being misused
The most common internet-connected device in the medical industry in the infusion pump, which is used to deliver drugs and fluids to patients intravenously and accounts for 46% of all IoT deployments. Connecting these devices to the internet is a huge boon for busy hospitals, as it allows nurses and doctors to monitor patients remotely instead of having to be bedside.
Infusion pumps are practically a nonissue in terms of cybersecurity risks, only accounting for two percent of security problems. Contrast that to imaging systems, which only account for 19% of IoT deployments—they're the source of 51% of security issues.
SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
Now examine the breakdown of the kinds of security issues caused by users: Rogue application installation, browsing the internet, and visiting risky websites are how employees generate security issues.
Put two and two together, and you get a clear picture of how IoT device users are causing a problem: They're surfing the web unsafely on devices that shouldn't be used for such.
Combined with the fact that 33% of medical IoT device security issues are caused by outdated OSes and software, and you have a recipe for disaster that, in many cases, can't be helped if the device manufacturer isn't releasing updates to its software.
Mitigating internet-connected risks
What's an IT department to do when outdated software combines with employee equipment misuse to create the perfect storm of cybersecurity risks? Zingbox has some recommendations:
- IP filter any IoT device that can access a web browser. Lock it down so it can only access sites needed to accomplish work, and not get out to the web.
- Perform a risk assessment for all internet-connected devices. Determine where the biggest area of risk is and start planning to fix problems starting there.
- Implement a targeted micro-segmentation plan for devices that have to run on older/outdated/unpatched OSes.
It's also essential to train employees on the use of internet-connected equipment and the risks that it carries. Users should know the kinds of security risks inherent with device use and how to avoid them.
If an outdated OS is causing a security risk, contact the machine's vendor and find out if software patches have been released, or what it recommends to improve security.
The number of devices connected to the internet isn't going to decrease anytime soon. IoT device security is going to continue climbing the ranks of security risks—take time now to head it off before a major incident.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- An Internet of Things 'crime harvest' is coming unless security problems are fixed (ZDNet)
- Why won't enterprises take IoT security seriously? (TechRepublic)
- Akamai: IoT the new 'shadow IT' of the enterprise (ZDNet)
- Report: 77% of companies say IoT has created 'significant' security gaps (TechRepublic)