Hospitals rely heavily on medical devices and Internet of Medical Things (IoMT) devices to provide quality patient care and improve outcomes. With an average of 10-15 medical devices per bed in a US hospital, a 1,000-bed hospital could have as many as 15,000 medical devices to manage. Unfortunately, with the proliferation of medical devices and IoMT, an ever-expanding attack surface is emerging.
Cyberattacks on medical devices can result in misdiagnosis or missed treatment, which can result in serious injury or death, as well as significant business and reputational damage. Because these assets are critical to their mission, healthcare organizations must work diligently to secure them.
Vulnerabilities in medical devices and IoMT are raising fears among clinicians, biomedical engineers, CISOs, and network security administrators, and with good reason. Securing these assets presents many challenges.
- Clinical networks are not the same. IoMT and medical devices are difficult to manage because they are “headless” – meaning a security agent cannot be installed on top of them to monitor and enforce compliance. Many of these devices are sensitive to active probing and scanning, which can cause service disruption or, worse, damage to assets. Additionally, they share information and communicate with various endpoints, making them powerful damage vectors.
- Separate management from other cyber assets. Medical devices and IoMT are managed separately from other connected devices by clinicians and bioengineers whose primary concern is medical safety, including recall tracking. To gather the data needed to update the CMMS, biomed managers still move room by room, floor by floor, carrying clipboards and counting. As a result, security teams have a fragmented view of their digital landscape, riddled with blind spots and risks.
- Supply chain vulnerabilities and third-party maintenance. Not only are medical devices and IoMT not managed by IT; often they are not managed within the healthcare system. Typically, FDA-regulated medical devices must be serviced by the manufacturer or a specialized service company. As a result, the hospital’s IT team does not know when such devices have security vulnerabilities or when a patch will be available (Example – Access:7)
- Escalating data breaches. The wealth of sensitive personal and financial data managed by hospitals and healthcare systems, along with well-known cybersecurity vulnerabilities, make the healthcare sector an inviting target for cyberattacks. In the past three years, 93% of healthcare organizations have experienced a data breach, and 57% have had more than five breaches.
- Underinvestment in cybersecurity Healthcare organizations typically allocate 5% to 6% of their IT budget to cybersecurity, versus 11-12% for more mature industries. This makes it harder to recruit skilled talent who demand high pay and want access to the latest technologies.
Recommended course of action
A complete solution requires continuous, automated detection, assessment, and control of ALL cyber assets in your environment, including medical devices and IoMT, without disrupting patient care.
- Know what’s on your network. The core problem is to fully understand what is connected to your network. You cannot protect what you cannot see. Visibility requires the discovery, classification, and assessment of each asset upon connection and continuously thereafter. Sensitive, non-agent-enabled devices must be visible and managed.
- Design context-aware segmentation policies. Segmentation limits the attack surface by limiting communication between assets to what should be communicating with each other and isolating vulnerable devices until they can be patched. This is especially important for legacy devices that are essential to patient care but are no longer supported by the manufacturer. Without segmentation, an attack on part of the network spreads laterally. The vast majority of threats can be mitigated with the right segmentation, so you don’t have to worry about the next vulnerability and the next.
- Automate repetitive tasks. With resources scarce, IT teams are unable to assess all devices in real time and confirm that each device meets security policies and regulatory requirements, let alone take appropriate action. Cyber security must be managed holistically. With this information, it can automatically control network access, enforce asset compliance, and coordinate incident response to minimize propagation and disruption.
The goat stops at the CISO
Medical devices and IoMT are associated with direct patient care. They are managed within the hospital by clinicians and bioengineers, but are often maintained externally by the manufacturer. Historically, medical devices have not been connected, and too often security is still an afterthought for manufacturers. But make no mistake: they are cyber assets, and often riddled with vulnerabilities and recalls.
Among stakeholders, the CISO is responsible for risk management and compliance for all assets connected to the network: laptops, switches, Zebra printers, badge readers, thermal imaging cameras, pharmacy dispensers, you name it. Incorporating medical devices and IoMT into holistic efforts to secure the digital terrain is the surest way to limit risk and protect patients.
Photo: roshi11, Getty Images