The Challenges of IoMT and Healthcare Security
By now, most of us own smart devices of some kind. Whether you use a voice-activated home assistant like an Amazon Echo or have a thermostat that can be controlled from your phone, there are all different kinds of appliances capable of connecting to the internet and activating features designed to make your life better or easier. When it comes to business, many of the smart, Internet of Things (IoT) devices focus on providing advanced data/analytics to help make more informed decisions. For example, they can automate processes to help improve productivity and lower costs. As organizations begin to incorporate more and more IoT devices in their environments, they also create new challenges in terms of scalability, resource requirements, and security.
Nowhere has this been more prevalent than in the healthcare industry. Usage of IoT devices in medical settings continues to accelerate at a rapid pace, with a recent study by Emergen Research projecting the healthcare industry will spend more than $160 billion on smart devices by 2027. These IoMT (or Internet of Medical Things) elements are intended to not only help doctors and nurses with daily tasks, but can also improve patient care and comfort. Not only can a smartboard provide information about a patient’s medications and allergies, but it can also provide live information about a patient’s condition, including heart rate, blood pressure, glucose levels, and oxygen levels. If a level moves above or below a designated threshold, the nurse on duty can automatically receive a notification on a tablet or other device and take action as necessary. Outcomes tend to be better for all involved thanks to IoMT devices, so it’s no wonder many healthcare institutions are investing heavily in the technology space.
Yet when you rely on such a large number of IoMT devices (some of the most advanced hospital rooms have 20+) in life-or-death situations, you’re adding a lot of extra endpoints onto your network, each with their own unique structures and vulnerabilities. Keeping them, along with the entire medical facility, secure in such a high stakes industry can be a monumental task – especially when you factor in regular maintenance, updates, and patching. The good news for patients is that their individual risk is quite small, as bad actors tend to target primary hospital operations, using improperly secured devices as an entry point into the network where they can then elevate access to larger machines, systems, and data that can be encrypted and held for ransom.
In one recent event, malware was discovered on a device designed to deliver precise doses of medicine to a patient. The malware was included as part of a patch provided by the vendor, and was only found because the hospital runs extensive testing on all of their devices for several days before returning them to use. Given that many medical facilities don’t have the time, IT staff, or surplus of equipment to pull devices out of service and test them for a week, this is not a standard practice. If the malware infected device had been placed back in a patient room, it could have easily spread to other devices and corrupted the entire network.
Healthcare IT teams have hundreds of devices to monitor and maintain, made by vendors of varying size and quality. Not every device includes access to operating systems, patches, and security testing either, meaning the vendors themselves or an outside managed services provider such as Sentinel takes on the responsibility of updates and maintenance. This can provide some relief to already overworked IT teams, however it also leaves them in the dark on certain devices when it comes to security testing and general usage or placement within the environment. Plus, some IoMT devices don’t have the ability to be patched or can’t be easily replaced if they break and need to be temporarily taken offline. Often a vulnerability will be discovered for a device within days or weeks of release and hospitals will continue to use it for years out of necessity, keeping a close eye and fingers crossed it never winds up exploited.
The U.S. Food and Drug Administration (FDA) regulates medical devices, and shares responsibilities in fighting cybersecurity risks in today’s ever-changing environments. Last year, the FDA began working on changes to the guidance for approving IoMT devices. They want to ensure all new devices have the capability and architecture to support updates and patching, and that this can be done in a timely fashion. The FDA also seeks to ensure customers remain informed of any cybersecurity vulnerabilities that developers discover in their IoMT devices, along with instructions related to patching or at least minimizing the risks posed by those vulnerabilities.
So what can hospitals and other healthcare facilities do today to help protect their IoMT devices along with the rest of their IT environment? There are three primary, rather obvious things to consider.
First, maintain a strong focus on network security. The basics. Know all of the elements/endpoints on your network and how they fit together, develop a routine of regular maintenance/updates/patching, deploy the right security products to provide the best possible coverage, and monitor network activity for any anomalies or suspicious behavior. This is good advice for organizations of all types, but particularly healthcare given the extensive number of devices and endpoints that increase an attack surface area. Fortis by Sentinel offers 24x7x365 endpoint/device monitoring through our Network Operations Center as well as 24x7x365 security monitoring through our Security Operations Center so you can maximize the uptime and protection of your entire infrastructure.
Secondly, operate from a zero-trust security architecture. Assume all users on your network, along with their devices, are not implicitly trusted and must continually validate at every stage of a digital interaction. Yes, this requires more gatekeeping with logins, passwords, and multi-factor authentication to access different areas of your environment. It also means properly segmenting your network, which can be a difficult but worthwhile pursuit as it significantly lowers the risk of exploitation by any vulnerable users or devices. Fortis by Sentinel offers a FREE Zero Trust Security Workshop that examines your organization’s position related to the zero trust framework and provides guidance on how to harden your position in alignment with that model.
Many healthcare institutions keep everything connected on a single domain or subdomain in order to keep costs and complexity to a minimum. Some don’t even encrypt sensitive data during transfers or other changes. Micro segmentation creates a lot more pieces that can be difficult and expensive to maintain, but it also isolates critical devices from the rest of the network and can give easy remote access to vendors for faster updates/patching. This is particularly helpful when your IT team doesn’t have control over the security of certain devices and requires the vendor or a contracted managed services provider to step in and fix any vulnerabilities. Just remember that even though the IT department may not be able to control every single device on the network, they can implement plenty of other large scale security measures to keep things as safe as possible.
Lastly, an important way to keep healthcare environments secure is to invest in the right technology and talent. Obviously budgeting creates a whole other set of challenges, particularly as the healthcare system has been so overwhelmed since the start of the pandemic. Asking for more money to hire IT staff and purchase security solutions/services is nearly impossible for many healthcare institutions. But honestly, the costs associated with developing and deploying a proper security strategy end up paying off in the long run. This is particularly true if it helps you avoid a major security breach and/or ransomware attack that could result in hundreds of thousands of dollars (or more) spent to remedy the situation. Sentinel offers managed services and support services for your healthcare environment that can help remove some of the burden from your overworked/understaffed IT team. We handle the maintenance, patching, and updates on covered devices, and remain always available in the event of an outage or other technical issues that may arise. Fortis also has a Virtual Chief Information Security Officer (vCISO) service that enables your organization to have a certified expert available at a fraction of the cost of a full-time hire who works with you to develop and implement a smart security strategy tailored to your environment. Contact us to learn more!
For their part, IoMT device manufacturers are learning from their customers. Many new devices are being built with scalability in mind, so coverage can grow as a healthcare network or system does. They also understand institutions often keep devices in use for years after a vulnerability has been discovered, so the focus has shifted to ensuring new devices are as secure as possible when they hit the market, then maintaining that protection when new features and updates are installed. A lot of maintenance and patches are handled through the cloud as well these days, improving accessibility and reducing risk. While prices for a majority of IoMT devices have risen in recent years, the hope is that these modifications will significantly extend their lifespan and usability to more than make up for the higher cost.
Did you know Sentinel has a dedicated National Healthcare Innovations team? They are responsible for providing our healthcare customers with guidance, solutions, services, and support surrounding technology initiatives. The goal is to ensure all healthcare institutions have the best possible tools to deliver the highest quality patient care with a particular focus on easing the burdens faced by doctors, nurses, and other key medical staff. If you are interested in learning more about the latest developments and new IoMT devices or would simply like some additional help with the development and implementation of your healthcare IT initiatives, please contact Fortis by Sentinel today for more information!