September 28, 2020
Did you know October is Cybersecurity Awareness Month? This year’s theme, Do Your Part. #BeCyberSmart encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity. We gathered additional insights from Cognosante’s Chief Privacy and Security Officer, Steve Gantz by way of four themes:
- If You Connect It, Protect It
- Securing Devices at Home and Work
- Securing Internet-Connected Devices in Healthcare
- The Future of Connected Devices
1: Who should be responsible for securing Internet-connected devices?
There seems to be universal agreement that the proliferation of “Internet of Things” and other connected devices poses a lot of potential risks for keeping sensitive data secure and protecting privacy. This is equally true for devices owned or issued by organizations and for personally owned devices that employees, customers, consumers, or other device users may have. If individuals are the ones selecting and setting up the devices they use, then it makes sense to assign them primary responsibility in securing those devices. It is unrealistic, however, to assume that all end users have the technical knowledge or security and privacy awareness needed to minimize the risks of Internet-connected devices. Device manufacturers, employers, application vendors, and Internet service providers all have both the opportunity and, arguably, the obligation to make sure their Internet-connected devices and apps are used securely.
If You Connect It, Protect It
- What is the best approach to securing Internet-connected devices?
In almost any context, the most accepted approach to security is what’s known as “defense in depth,” which means you put multiple measures in place to increase the overall security posture because if any one protective measure fails you have other safeguards to provide protection. Ideally, there would be security measures applied to the devices themselves, the apps that run on or are accessed using the devices, and the network environment, but not all devices have the same kinds of security and privacy configuration settings available. At a bare minimum, there must be some protection for the home or office network where the connection to the Internet is established. If you can only focus on one aspect of security, then it should be the network that devices are connected to, because the network is the point at which data actually leaves a home or office computing environment.
Securing Devices at Home and Work
- How do security needs differ when working remotely from home versus an office environment?
There are important considerations in both settings, especially if the devices we’re talking about are personally owned rather than company owned (and presumably company configured and managed). When we are talking about devices that an organization owns and provides to its employees for use on the job, the goal should be to configure the devices so they are adequately secured no matter where they are used. Lots of companies have written policies that, for example, tell their employees not to connect devices to unsecure wireless networks (like those in coffee shops, airports, or other publicly accessible locations). Those policies may be well intentioned, but it is better if you secure the devices so their use is protected regardless of whether they are connected to corporate networks, home networks, or public networks.
There are many security management tools available that let organizations enforce appropriate use of company-issued devices and many types of personally-owned devices such as smartphones and tablets. These tools tend to be less helpful for securing the use of Internet-connected devices commonly found in home environments, like smart speakers, wifi video cameras, televisions and game consoles, or even kitchen appliances. Securing these kids of Internet-connected devices can be complicated because there are actions to take with the devices themselves and with online accounts or user profiles associated with the devices.
There have been several well-publicized incidents where hackers gained access to Internet-connected devices like video monitoring cameras or smart speakers. The unauthorized outsiders typically do not directly attack the devices installed in users’ homes, but instead break into online accounts that enable remote access to the devices inside people’s homes. The best defense against these sorts of attacks boils down to good cyber hygiene practices – use unique, strong passwords for each online account or web-based service; enable two-factor authentication if it is available; and make sure any default passwords or device settings are changed during the initial setup and connection of the devices.
Securing Internet-Connected Devices in Healthcare
- What additional security considerations apply to health-related Internet-connected devices?
For health-related devices, it can again be helpful to clarify if we are talking about Internet-connected devices being used in a clinical setting like a hospital or a doctor’s office or if we are talking about devices consumers use in their own homes or locations outside clinical settings. While there are lots of security mechanisms that can and should be used in either case, when devices are used in healthcare settings their use is governed by federal security and privacy regulations like HIPAA. Regulatory requirements also may apply to health device manufacturers, but generally do not apply to the individuals who use these devices, even if that use includes transmitting data to doctors or other healthcare providers.
Where this has gotten really complicated is when health-related information is uploaded or stored by device vendors or service providers (think of smart watches, fitness trackers, blood glucose monitors, heart rate monitors, etc.) who are not healthcare providers and so are not subject to the same regulations about protecting personal data. Anyone who wants to use one of these devices needs to understand what privacy protections are provided by the vendors or service providers to whom the devices send data. Unfortunately, many consumers don’t take the time to educate themselves or to understand even what the default settings are on these devices and applications so they end up disclosing a lot more personal data than they intended to.
The Future of Connected Devices
- What should we expect in the future for Internet-connected devices?
Even before people started spending most of their time at home due to the COVID-19 pandemic, there has been rapid growth in the market for Internet-connected devices. The obvious extension of this trend is that we will see more devices with embedded Internet connectivity so we either need consumers and employees to become more savvy about securing the devices they use or we need the vendors and application developers to build more security and privacy protections in the products they sell. Ideally, we would see both, but the first step might just be building awareness.
Most consumers would probably be surprised by how many devices are in their own homes that have Internet connectivity available (whether or not it is turned on). In most cases, this kind of connectivity is marketed as a convenience but device owners need to spend some time thinking about what information these devices collect, where that data gets sent, and how it will be (or could be) used; and balance the benefits against the potential threats to privacy or safety.