When it comes to the Internet of Medical Things (IoMT), healthcare providers have powerful tools at their disposal for capturing and contextualizing vast troves of data useful for improving care outcomes and driving profitability. Securing your IoMT network is critical to not only the benefits of your connected devices and network infrastructure, but also prevent catastrophic digital attacks.
Globally, there are around 420 million connected medical devices in deployment, with a further 70 million or so devices expected to be installed by the end of 2019, according to BI Intelligence. With IoMT devices so prevalent, cybersecurity is fast becoming a critical success factor for forward-looking healthcare delivery organizations.
What is IoMT?
Before we dive into the strategic and technical details, let’s define our terms. The term IoMT generally refers to two groups of devices. The first group is connected medical devices like patient monitors, lab devices and in vitro diagnostic products.
The second group is made up of devices that support clinical administration and operational workflows, which includes assets such as nurse calling devices, label printers, sensors and controllers.
While it might be tempting to approach these technologies with a set it and forget it approach, the way in which you configure, maintain and interact with your IoMT devices can have a large impact on the security of your network. A review of more than 30 hospitals found that 61% of devices are at risk, offering would-be intruders no shortage of actionable attack vectors through which they can compromise your entire organization, according to CyberMDX .
Thankfully, some of the most common risk factors associated with IoMT devices can be addressed with a combination of software solutions and strict governance. These risks and their remediations include:
– Devices with default passwords: Set unique, strong credentials for all devices and services.
– Unpatched software: Set a routine patching schedule and monitor for urgent patching needs.
– Rogue software: Audit devices for rogue software and conduct uninstalls as appropriate; restrict permissions to prevent future rogue installs.
– Unauthorized network access: Configure the Network Access Control system with better defined and more vigilant security policies.
– Device misuse: Restrict internet browsing to pre-approved whitelisted destinations, allowing new destinations upon request.
– Malicious activity: Ongoing surveillance of your IoMT network to proactively identify and patch potential vulnerabilities, reducing the likelihood that attackers can compromise the system.
– Lack of containment: It’s important to not only prepare to repel attacks before they land, but to have controls in place that allow you to contain and expel them should they pass through your defenses. To this end, you should construct and enforce a network segmentation regime not only at the perimeter, but internally around endpoint groups that share similar clinical applications and network workflows.
The good news is that these risks can be largely marginalized with a little due diligence and strategic planning. The bad news is that, if left unaddressed, every device at risk represents a potential point of failure.
Real-world consequences of these vulnerabilities are significant
Data breaches are no small issue for any business, but healthcare organizations have even more to lose. Whereas other industries only have to worry about customer data, healthcare organizations must contend with the possibility that a breach can put patient safety at risk. A successful breach essentially opens the door for attackers to interfere with — or even shut down — the delivery of care.
In the healthcare industry, the cost of a data breach is roughly double the global average of data breaches in other industries. Some of the most high-profile healthcare breaches have seen millions of patient records stolen in a single instance, and all it takes is one vulnerable device to provide a malicious actor with access.
Establish a live inventory for asset management
The steep costs associated with a cyberattack should be enough to convince any conscientious healthcare provider of the need for a comprehensive and proactive cybersecurity strategy. Crafting such a strategy requires first understanding where the typical gaps occur and then moving to fill them.
Perhaps the most foundational aspect of your IoMT security strategy is automating inventory management of the connected assets in your deployment. Some sort of directory should be produced to reflect all the devices in need of protection and where they lay within your network topography. Once you have eyes on the whole of your digital domain, you can begin to intelligently plan for its sustained protection. In other words, you can’t secure what you don’t see.
The importance of automation
With a continually expanding network of connected devices, automation is key. Healthcare networks are becoming rapidly more complex, forcing some IT teams to fall into a keep the lights on pattern rather than a more proactive, big picture approach. Automation can boost processes across the board, saving time and resources while also increasing coverage.
Any automatic mapping solution should include high granularity device classifications, which not only account for a wide range of devices in detail, but also place those devices within the context of the organization and the wider healthcare ecosystem. For example, your automated mapping solution should recognize the difference between a device that captures personal health information and one that doesn’t. Your solution must then be able to prioritize the more sensitive devices from a security standpoint.
While automatically identifying and classifying medical devices according to the most predictive operational and cyber factors is critical to IoMT success; it’s also far easier said than done. With so many different variables interacting in a fast changing regulatory, protocol and human behavior ecosystem, rule-based, programmable logic alone is ill-suited to the task. In an effort to avoid a Sisyphean predicament, smart solutions often enlist machine learning technology to assist in the process.