“Shadow” Devices Expose Networks To New Threats

Posted on June 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report by security vendor Infoblox suggests that threats posed by “shadow” personal devices connected to healthcare networks are getting worse.

The study, which looks at healthcare organizations in the US, UK, Germany, and UAE, notes that the average organization has thousands of personal devices connected to their enterprise network. Including personal laptops, Kindles and mobile phones.

Employees from the US and the UK report using personal devices connected to their enterprise network for multiple activities, including social media use (39%), downloading apps (24%), games (13%) and films (7%), the report says.

It would be bad enough if these pastimes only consumed network resources and time, but the problem goes far beyond that. Use of these shadow devices can open up healthcare networks to nasty attacks. For example, social media is increasingly a vector of malware infection, where bad actors launch attacks successfully urging them to download unfamiliar files.

Health IT directors responding to the study also said there were a significant number of non-business IoT devices connected to their network including fitness trackers (49%), digital assistants like Amazon Alexa (47%), smart TVs (46%), smart kitchen devices such as connected kettles of microwaves (33%) and game consoles such as the Xbox or PlayStation (30%).

In many cases, exploits can take total control of these devices, with serious potential consequences. For example, one can turn a Samsung Smart TV into a live microphone and other smart TVs could be used to steal data and install unwanted apps.

Of course. IT directors aren’t standing around and ignoring these threats and have developed policies for dealing with them. But the report argues that their security policies for connected devices aren’t as effective as they think. For example, while 88% of the IT leaders surveyed said their security policy was either effective or very effective, employees didn’t even know it was in effect in many cases.

In addition, 85% of healthcare organizations have also increased their cybersecurity spending over the past year, and 12% of organizations have increased it by over 50%. Most HIT leaders appear to be focused on traditional solutions, including antivirus software (60%) and cybersecurity investments (57%). In addition, more than half of US healthcare IT professionals said their company invests in encryption software.

Also, about one-third of healthcare IT professionals said the company is investing in employee education (35%), email security solutions and threat intelligence (30%). One in five were investing in biometric solutions.

Ultimately, what this report makes clear is that health IT organizations need to reduce the number of unauthorized personal devices connected to their network. Nearly any other strategy just puts a band-aid on a gaping wound.