Oct 13, 2022

Chapter 1: How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface

IT/OT convergence playbook

With the rise of the Internet of Medical Things (IoMT), the healthcare ecosystem is getting smarter – but more vulnerable to cyberattacks, too.

From robotic arms that aid surgeries to wearable or ingestible sensors that pair with your smartphone to monitor your health, connected medical devices are a market in expansion. Smart hospitals are expected to deploy over 7 million IoMT devices by 2026 – more than twice that of 2021, per Juniper Research.

What is the Internet of Medical Things (IoMT)?

As a subset of the Internet of Things (IoT) in healthcare, Internet of Medical Things refers to connected healthcare devices and applications. Since medical devices are not designed with security mind, they are often vulnerable to cyberattacks — and have become a growing target of cybercrime.

So you should get prepared.

IDC predicts there will be over 55 billion Internet of Things (IoT) devices by 2025. And it’s concerning that 57% of healthcare security professionals don’t fully understand the risks associated with unmanaged and IoT devices, according to our report on IoT security. There’s even a lack of understanding of what counts as Internet of Things in healthcare:

  • 48% think that MRIs, X-ray, and ultrasound machines that connect to the network don’t count as IoT technology.  
  • 41% think that biomedical devices (infusion pumps, ventilators, crash carts) that use Wi-Fi or Bluetooth don’t count as IoT-enabled devices. 

This knowledge gap hinders hospitals’ ability to implement the right medical device security solution. IoMT devices are often unmanaged and, as such, more vulnerable than managed computers because they cannot be secured with traditional security tools, such as agents and scans.

IoMT examples that expand your cybersecurity attack surface

Trends of digital transformation in healthcare have increased the push for IoMT technology. But while implementing those innovations, equally important is to build hospital cybersecurity resilience along the way.

Here are four IoMT examples to take into account when identifying your cyber attack surface — that means, all the possible entry points for an unauthorized access.

  • Robotic surgery. With the use of robotic arms, doctors can perform more complex and precise procedures – even remotely. These procedures are considered less invasive and have use cases such as coronary artery bypass and mitral valve surgery.
  • Remote monitoring. Personal emergency response systems (PERS) and remote patient monitoring (RPM) solutions can send automatic alerts in case of distress.
  • Wearable devices. Sensors and trackers can monitor sleep patterns, glucose levels, blood pressure, electrocardiogram patterns etc. Devices and supporting platforms certified by regulatory or health authorities include pills that track the ingestion of medicaments, neurostimulators that offer relief from chronic pain, and pacemakers with remote heart rate monitoring functions.
  • Automated drug delivery. Connected infusion pumps and smart drug dispensing cabinets in hospitals enable the automated delivery of medication and can be controlled through the internet.

These connected devices could potentially be exploited to malfunction and cause harm to patients. Attackers might also use medical devices as a back door to break into hospital networks. Health data breaches are another concern. A report from the U.S. Government Accountability Office shows that the number of reported breaches involving protected health information (PHI) is increasing yearly, reaching 714 breaches of more than 500 records last year.

Risks go beyond connected medical devices

The convergence with devices that are not necessarily medical, but are used as such, also expands the attack surface. For example, vendors are using Samsung Galaxy and Raspberry Pi to power medical devices as a way to lower costs. This clinical usage poses a security blind spot, especially if your security tool thinks it’s dealing with a tablet, rather than understanding that it might have, for example, an ultrasound component connected to it.

Traditional IT devices such as printers in doctor’s offices and operational technology (OT) – think of pressure setting for infection control during surgeries – also pose cybersecurity risks. From check-in kiosks to nurse call systems and defibrillators, patients are surrounded by devices throughout their hospital stay. Another example of the pervasiveness of IoT in healthcare is the increased use of surveillance webcams to help protect physicians and nurses from growing workplace violence

To learn more healthcare cybersecurity, download our white paper on medical and IoT device security.

IoMT device security requires comprehensive asset visibility

Asset visibility is critical not only to increased hospital cybersecurity but also to improved operational efficiency and return on investment (ROI). Hospitals can better understand:

  • Where is the device is located? When and how is it used? 
  • What are the risks associated with the device? Is it patched?

This type of information helps both clinical teams with device utilization trends and cybersecurity personnel with vulnerability management.

Start with medical device inventory

For comprehensive device inventory and visibility, your cybersecurity solution needs to identify all assets in your environment (on and off-network), including those that cannot accommodate security agents. The monitoring needs to be continuous and passive because scans are disruptive and can cause devices to crash.

The Armis platform can do that, and more. Armis discovers, classifies, and provides additional context about each asset. A comprehensive device inventory generates information such as category, manufacturer, FDA classification, operating system version, installed applications, connections, activities, risk factors, and more.

Image of Armis platform showing the connections of an infusion pump

Armis can understand not only what the device is and what it is doing, but also what it should be doing. Armis compares real-time device activity to historical behavior and baselines stored in our Collective Asset Intelligence Engine — the world’s largest device knowledgebase, tracking over two billion assets and growing. Real-time monitoring is critical to detect threats and trigger proactive incident remediation. 

Ready to make the most of your IoMT devices while minimizing risks to patient care? Request a custom demo and discover all Armis can do for your health delivery organization.

Frequently Asked Questions

What is attack surface management?

Attack surface refers to all possible entry points where a security breach could happen. Attack surface management is the process of continuously discovering, mapping, and monitoring those entry points, and then prioritizing measures to prevent breaches.

What is the role of the FDA in securing medical devices?

The U.S. Food and Drug Administration (FDA) is responsible for regulating medical devices. The agency:
– Establishes specific requirements for what counts as a medical device.
– Classifies medical devices into three classes based on their degree of risk. 
– Evaluates the safety and efficacy of medical devices.

What are the FDA cybersecurity guidelines for medical devices?

The FDA’s latest draft guidance for cybersecurity in medical devices outlines recommendations when it comes to device design, labeling, and documentation for premarket submission. 

The document emphasizes the general principle that cybersecurity is part of device safety. FDA understands device security as its ability to meet objectives such as integrity, confidentiality and timely patchability.

Check out all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface 👈 you are here
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask