Free WiFi and IoT adoption in hospitals: What about security?

Introducing wireless broadly in hospitals provides many benefits. First and foremost is improved healthcare service. Use of e-prescriptions is expected to cut the number of prescription errors in half. Use of self-monitoring wearables by patients connected to the local WiFi network, allows medical staff to be alerted to issues more quickly.

An example is the automatic and continuous measurement of blood glucose levels, as more than one-fifth of diabetics stated they have experienced 'largely avoidable' hypoglycaemic episodes while in hospital. Secondly, wireless networking allows greater efficiencies to reduce administrative tasks, free up clinical time by processing patient data once, preferably at the patient bedside, and ultimately lower healthcare costs.

Thirdly, easily available WiFi in hospitals gives a more positive patient experience. No one enjoys a hospital stay. Allowing patients to use their smartphones or other devices to go online lets them keep in touch with family and friends, or watch on-demand television, helping to support faster recovery.

So it’s not a big surprise that the UK Health Secretary Jeremy Hunt pledged in December 2015 to use the £1bn NHS technology fund to have free WiFi in every NHS building by 2020, to improve patient treatment and bring down costs.

Is there a downside to all these benefits?

Personally, I am not too concerned about my medical records, but that’s probably because I am healthy and not a celebrity. How different would it be if I wanted to sign up for life insurance and my complete historical medical record is suddenly part of the acceptance procedure, resulting in an increased life insurance cost. Or, say I am changing jobs, and, to my surprise, I don’t get the job due to 'unstated previous psychological issues' which became available to my new would-be employer? And it can become much worse: what if a heart-monitoring appliance suddenly fails due to unexpected network activities caused by hackers?

Are we doomed to stay in the Dark Ages?

To answer this question we need to look a bit deeper at the underlying issues. With the use of wireless comes the challenge of mobility, and we need to distinguish many different use-cases:

  • Medical staff using tablets to access medical data from patients at any location in the hospital
  • Healthcare appliances used throughout the hospital in a flexible way to allow the most efficient use of these expensive and critical medical devices
  • Patients using wearables to continuously monitor their health status even when they are walking around
  • Patients and visitors using personal mobile devices

As a result, the healthcare network has become very dynamic and the challenge is to know which devices/users are connected to the network and who should have access to which data. Network segmentation is a good solution to address this challenge. However, static VLAN assignment as it was used in the old days is no longer sufficient. Instead, hospitals need dynamic segmentation: based on the user, the device, the compliance status of the devices, the location – the user/device needs to be assigned to the right VLAN as soon as they connect to the network.

And with the challenge of mobility and the use of Internet of Things (IoT) devices comes the challenge of how to identify all these different endpoints. Patients will not allow the installation of software agents on their personal devices. Clinical devices, in general, don’t allow the use of supplications either. Using an agentless solution to discover and classify devices is mandatory.

The next challenge has to do with data privacy. With medical staff using mobile devices to store and access patient records, data breaches are likely to continue – for instance, when a medical device is lost or stolen. A Mobile Device Management (MDM) solution and/or hard-disk encryption are possible solutions, but then you must be able to guarantee that the MDM agent and/or encryption is working properly. And, with the new European General Data Protection Regulation, penalties in the instance of a data breach can become very significant – as high as 4 per cent of annual turnover.

A fourth challenge is rogue networks: how to ensure that the medical staff is connected to the corporate trusted hospital wireless network and not the public or rogue wireless network when exchanging confidential information.

A last challenge, not specific to hospitals but applicable for all organisations dealing with a large variety of corporate, personal and IoT devices, has to do with hardening the network and minimising the security attack surface to prevent a security breach in the first place. Hospitals need automated policies to protect individual network components through routine and periodic evaluation, including updating security patches on corporate devices as soon as they connect and disabling all unnecessary ports and services.

See. Control. Orchestrate.

You cannot protect what you cannot see. UK healthcare organisations can overcome the security risks linked to free WiFi and IoT adoption by deploying an agentless network access control solution to gain optimum visibility into their endpoint landscape, plus one that continuously monitors devices coming on and off the network. Equally important, they need to be able to control these devices and orchestrate information sharing and operation among disparate security tools to accelerate incident response. Last but not least, the solution needs to easily integrate with leading network, security, mobility and IT management products to overcome security silos, automate workflows and, therefore, enable significant cost savings.

Jan Hof, International Marketing Director, ForeScout Technologies