The Internet of Things (IoT) is becoming an integral part of everyday life, whether we know it (and love it) or not. Most industries have embraced IoT technologies due to their benefits to businesses and consumers. IoT in this industry, also known as Internet of Medical Things (IoMT), often performs life-saving tasks that are fundamental to a patient's health and well-being.
Malfunctions or failures in the functionality of a device can have significant or even fatal consequences; Therefore, IoMT vulnerabilities must be considered and managed. Additionally, the interconnectivity of Industry 4.0 means that even seemingly innocuous IoT devices – like CVCs, smart locks, smart switches, and smart cameras – pose a risk to the critical environment of healthcare delivery organizations (HDOs).
IoT (and IoMT) devices are inherently vulnerable. More than 50% of IoT and IoMT devices contain critical vulnerabilities, and these highly accessible devices often lack the necessary built-in security measures, a recipe for disaster.
Additionally, IoT devices are sought by malicious actors for their access and collection of data (protected health information (PHI) having the highest monetary value) and connectivity. The combination of the demanding healthcare environment and the high-risk nature of IoT devices means security is imperative.
Despite the widespread understanding of the risks posed by IoT devices, security in this domain remains weak and rudimentary, with IoT security projects down by as much as 16% in 2021.
Level 2: Limited visibility means weak authentication
IoT security begins with device authentication to ensure that network access is only granted to authorized individuals. IoT devices are not compatible with 802.1x, which means this authentication protocol is unsuitable.
There are alternative authentication protocols, such as MACsec and MAB, which both rely on a device's MAC address for authentication, using Layer 2 data packets to identify this indicator. However, a database of MAC addresses must be created and maintained; more importantly, MAC addresses are easily forged and some devices don't even have a MAC address, making the MACsec and MAB authentication protocols weak.
In turn, IoT devices can be incorrectly authenticated or bypass authentication altogether, gaining access to the network and putting the entity in serious danger. Ultimately, the weakness of these protocols is visibility; Layer 2 data isn't enough to identify IoT devices, and a major concern for HDOs is that they don't have the visibility to authenticate IoT devices properly.
Level 1 Device Security: Security begins with vision
Complete visibility and, consequently, reliable authentication of IoT devices require data at the physical layer (layer 1 device security). Instead of relying on traffic monitoring, Level 1 data signals, such as noise level, voltage, signal timing, current, and more, provide ever-deeper insights into device characteristics for accurate identification.
Unlike a MAC address, Level 1 meters cannot be changed, nor can devices hide by operating passively or out of band. Additionally, such visibility enables the detection of anomalies in device behavior that could indicate device tampering.
With complete visibility into IoT devices, HDOs can be confident that device authentication is accurate and reliable, and subsequent authorization processes are as well. With improved device authentication and authorization, IoT devices' risks to healthcare are minimized, as unauthorized devices are denied access to the network and authorized devices are properly managed and controlled.
The interconnection of IoT devices means that a single exploited vulnerability can significantly disrupt healthcare operations – and when lives are at stake, the risk is too great to take. The only way to secure IoT devices and minimize their threat to healthcare is to control their network access, whether blocking a device or restricting and closely monitoring its access. Such control starts with authentication and relies on full transparency, which can only be achieved by going all the way down to Layer 1.