Blog
IoT devices are everywhere, especially in healthcare organizations. Learn how to support these devices and ensure security and compliance.
Organizations of all kinds are starting to recognize just how important it is to create better policies surrounding the Internet of Things (IoT). The sometimes small and simple devices that make up the IoT can be hard to identify and monitor, especially when large organizations are dealing with complex user environments.
The global IoT market grew 22% in 2021, and analysts expect it to grow at a CAGR of 22% to reach $525 billion from 2022 to 2027. So the IoT and the challenges it poses to networks aren’t going anywhere anytime soon. This guide covers some key considerations for supporting IoT within your organization.
What are IoT devices?
IoT devices collect and exchange information with other devices and systems over a network using standard wired and wireless protocols. These devices, or “things,” are everything from heating and cooling systems to printers and scanners. Modern “smart” buildings also have many different sensors and equipment that communicate with one another.
Examples include:
- Voice assistants (like Google Home or Alexa)
- Wearables (watches or vitals-monitoring tools)
- Lighting
- Thermostats
- Cameras
- Appliances (garage door openers, smart refrigerators)
- Vehicles
Businesses are now packed with IoT devices you may not even consider. Many organizations also include sensors detecting motion, fire, or flood and equipment like smart elevators or HVAC systems. Access and asset control systems and credit card readers are other examples of how businesses commonly use the IoT.
IoT devices in healthcare
Healthcare organizations, whether inpatient or outpatient, rely on all the device types we've covered so far to accommodate patients, family members, and staff. But they also have a unique suite of equipment that allows them to provide a better standard of care. Examples of IoT devices in healthcare settings include:
- Physiological monitors (wired and wireless)
- IV pumps
- Infusion pumps
- Portable EKG, X-ray, ultrasound machines
- Blood pressure cuffs
- Thermometers
- Heart rate sensors
- Remote patient monitoring (RPM) systems
- Glucose monitors
Healthcare has emerged as one of the biggest industries to use IoT equipment and remains at the forefront of innovation.
How IoT devices enter an organization
So, how does IoT tech get into a company and its network environment? There are three main ways:
- Through IT: Here, devices tend to be well-understood, adequately secured, and managed per organization policy
- Through the business units: This equipment is apt to be implemented without IT involvement
- Employees, visitors, and guests: These devices are entirely uncontrolled and unmanaged
Ideally, each vector must adhere to policies the organization created for the network in an effort to keep risks at a minimum. Security threats can be serious, especially when IoT devices include those connected to financial or health information.
Identifying and profiling IoT devices
What happens when IoT devices aren’t complying with policies? To have the best outcome, the organization needs the means to identify and support them properly. A well-defined and clearly communicated process is required so that workflows aren’t disrupted.
You can’t secure or manage what you can’t see, so tools that automatically identify devices and alert when users come on and off the network become necessary. In the case of IoT, if you’re not watching, you could have security gaps from a misconfigured or unpatched device. And people can also get frustrated when devices don't perform as they expect.
This is where automated discovery tools can help. They not only provide device visibility but can also put users in the right network segment or security zone, so equipment works as intended.
Asset management and other considerations
Discovering and profiling are essential to understanding how to apply non-destructive security controls. It is always best to take a risk-based approach to IoT security. Many IoT devices are deceptively simple, performing mundane tasks like temperature monitoring or step counting. But they could introduce a vulnerability or unknown point of entry for a threat actor.
These questions should be asked during the onboarding process to evaluate risk:
- How was the device evaluated before it was put into service?
- How reputable is the manufacturer?
- Do they have an established product and reputation?
- What areas depend on the device, and how sensitive is the information being captured and collected?
- How will that device or sensor be managed and monitored?
IoT devices can have wildly different life cycles. Some are obsolete in just a few years, while others have been in use for a decade or more. As a result, keeping track of this equipment and its status, vulnerabilities, and even location can be challenging.
Every organization will have its own way of monitoring. But regardless of the method, it’s important not to lose track of these devices, and there should be some way to check if they are still being used. A client could become compromised if no one is paying attention to it, so there are potential security issues at play.
This is a great time to put some kind of technology in place to help with network monitoring if you don’t already have these assets. And ensure IoT devices are part of that monitoring system.
Spectrum sharing
IoT systems often use the same unlicensed frequency bands that Wi-Fi does, especially the 2.4 GHz band. If careful spectrum planning does not take place, these systems can interfere with each other and the enterprise Wi-Fi network. The resulting interference can, in some cases, be worse than interference from other Wi-Fi networks because many IoT systems do not use 802.11 and follow their own channel access rules.
Governance, risk, and compliance
Each employee, partner, or contractor who brings in an IoT device needs to be responsible for understanding regulatory requirements and the organization’s rules. One or several regulatory requirements might apply. For example, credit card machines and the networks they use have to comply with the PCI security standards, and some healthcare systems must comply with HIPAA and HITECH.
Post the applicable policies and establish clear expectations. If an asset-management policy already exists, it may sufficiently cover IoT devices. But if it doesn’t, you might consider adding examples of IoT tech since these devices are becoming a regular part of daily business.
If you don’t have a policy, you can create one. Look for templates online that can be easily modified to fit your organization's needs. IT and compliance departments will play a vital role in constructing appropriate policies and enforcing them.
Proper governance of the devices in terms of utilization, effectiveness, and compliance needs to live with the business leaders or owners, however. Who is most responsible for those devices? It’s typically not entirely on the IT department, though many people think they should take responsibility. But IT can’t make decisions on its own about what a device is doing or how well it’s serving its needs.
Communicate with business leaders to know where your IoT devices are, what they are, and how they're being used.
Increasing IoT and W-Fi performance monitoring with 7SIGNAL
The spectrum analysis capabilities of 7SIGNAL’s Sapphire Eye® help IT staff identify the presence of wireless IoT systems operating in the unlicensed bands, including non-Wi-Fi IoT systems. Sometimes these systems are deployed by other groups without the knowledge of IT, so their presence and performance impact on the enterprise Wi-Fi network goes undetected. Both Sapphire Eye and Mobile Eye® will help identify areas where interference from IoT systems causes a significant performance impact on the enterprise Wi-Fi network.
Contact 7SIGNAL to learn more about our solutions.
7SIGNAL® is a leader in enterprise cloud Wi-Fi performance management. Founded by wireless networking pioneers, the company delivers applications that continuously monitor the stability of its clients' Wi-Fi networks in order to mitigate risk. The 7SIGNAL platform is designed for the world's most innovative organizations, educational institutions, hospitals, and government agencies and is currently deployed at IBM, Kaiser Permanente, Nike, and other Fortune 500 companies. 7SIGNAL continuously monitors the connectivity of an estimated 20 million global devices. Learn more at www.7signal.com.