More than 50% of medical devices are unmanaged, which means they can communicate with other connected devices, systems, or networks to transmit data, but aren’t protected by or don’t support traditional monitoring tools, such as security agents and scans. With the growing number of unmanaged medical and non-medical devices and sensors in hospitals and clinics, the risks to patient safety tend to escalate.
In this article, part of our Internet of Medical Things (IoMT) security playbook series, we explore:
- The unique challenges of medical device security in the healthcare ecosystem.
- Security strategies to mitigate IoMT vulnerabilities that might put patient care in jeopardy.
Top 10 Challenges of IoMT Security
Connected medical devices have limited security controls, but the risks to hospitals’ cybersecurity go beyond IoMT itself. So let’s dive into the top hurdles of the Internet of Medical Things security.
1. Sophisticated Threats Targeting the Healthcare Industry
Concerns are not only with confidential medical data but also with patient care disruptions that might have life-threatening consequences. After all, the threat landscape has evolved with the rise of ransomware as a lucrative business model for criminals.
2. Coexistence of OT, IT, IoT, and Medical Devices Expands the Attack Surface
The healthcare device ecosystem is highly connected – beyond smart medical devices that are touching the patient or directly providing care. The growing number of devices connected to the internet – over 55 billion by 2025, as per IDC – leads to an increased attack surface, too.
Printers, self-check-in tablets, surveillance systems, smart lighting systems, and temperature control for vaccine storage are just a few examples of enterprise IT, Internet of Things (IoT), and operational technology (OT) in medical facilities. Hacking a smart TV in a waiting room might open the door to threats that can move laterally in often poorly segmented hospital networks and cause disruptions to patient care.
3. Complexity of the Healthcare Environment
The complexity of the healthcare tech stack, due to a diverse number of devices and types of systems, makes it harder to track assets and manage their vulnerabilities. For example, hospitals need to deal with a great number of medical device vendors, each one with its own, little-known proprietary operating system. In addition, many of those devices are mobile — think of infusion pumps being moved from one room to another, which can lead to misplacement or loss.
4. Medical Devices Don’t Accommodate Agents
Since medical and clinical devices are regulated and built intentionally as walled hardware to achieve a specific outcome (for example, administering a medication), they usually don’t accommodate external software. As a result, they cannot be secured through traditional endpoint agents, neither easily updated or patched.
Effective patch management is a significant concern given that cybercrime and nation-state actors have focused on discovering vulnerabilities or unpatched systems as a main method of attack, according to the 2021 Microsoft Digital Defense Report.
5. IoMT Devices Lack Built-in Security
Medical devices don’t come with strong security controls because their design is based on desired outcomes and regulatory requirements.
The U.S. Food and Drug Administration (FDA), which regulates medical devices, has a list of cybersecurity guidances, but manufacturers are not required by law to follow them. However, currently under consideration in the Senate is the PATCH Act, a bill that would help to make manufacturers accountable for securing and patching new medical devices.
6. Legacy Technology Poses Cybersecurity Risks
Medical devices generally have a higher lifecycle than consumer technology. Due to concerns over patching or restrictions due to FDA certifications, the operating systems and software running these devices may go untouched and unpatched for fear or rendering the device inoperable and impacting patient care.
Since medical equipment is expensive to replace, devices may even be operating outside the supported lifetime of the software they are running. An MRI machine, for example, might cost more than $400,000. Investments in hospital technology involve planning, training, and government subsidies.
7. Vendor-managed Servers Hinder Medical Asset Visibility
Medical device manufacturers are taking new approaches, creating their own vendor-managed networks – in other words, an isolated portion of the hospital network that is specific to their devices. For example, a vendor might have 30 patient monitors placed behind a proprietary gateway, creating different layers of visibility.
8. Scans and NAC Don’t Understand Context
Vulnerability scans don’t provide real-time and continuous monitoring. In addition, they depend on common vulnerability scoring systems (CVSS) and cannot understand context. Other methods such as network access control (NAC) are also unable to examine the behavior of devices, as the scenarios below suggest:
- The medical device might be bouncing the corporate and guest network and introducing new risks.
- The device might be offline when the scan is running.
- The device might have a peripheral accessory attached to them — for example, a battery component of an infusion pump.
9. Vulnerability Scans Can Disrupt Care
Medical devices have different sensitivities. You don’t know how a specific operating system (OS) will respond to the protocols of a vulnerability scanner. When the communication deviates from the expected, the device might crash.
If you are doing a scan through a workstation, the end user can likely tolerate the disruption, but a medical device malfunction while touching a patient can negatively affect care (for example, if the device stops working in the middle of surgery).
10. Poor Segmentation Between Clinical Engineering and IT Networks
A typical hospital network is flat and divided between biomedical and corporate IT security teams, creating silos. IT is concerned with cybersecurity, while biomedical teams focus on clinical usage. Traditionally, VLAN keeps both sides separated, but it’s not designed for security.
Exposure to the IT side of the house increases risks. In fact, many threats start on the IT side, such as the case of WannaCry malware, which spread through computers operating Microsoft Windows. As per Armis research, 40% of healthcare organizations suffered from the WannaCry attack.
How to Stay on Top of IoMT Vulnerabilities
Healthcare delivery organizations often lack the visibility to expand their vulnerability management programs to medical devices. Asset inventory is often a manual effort where healthcare professionals do a site survey, literally walking through every single room to see what they have and writing it down in an Excel sheet.
Improved Internet of Medical Things security requires a holistic, automated inventory of every digital asset (IT, OT, IoT, and IoMT), regardless of who purchased them (IT or biomedical teams). In order to support today’s healthcare innovations, hospitals need a comprehensive cybersecurity and asset management solution that is able to monitor all devices, including those that cannot accommodate security agents.
As an agentless and 100% passive platform, Armis discovers and classifies all assets and monitors network traffic in real time without relying on security agents or scans. Here’s a preview of what complete asset inventory management looks like with Armis:
Armis provides additional context about each asset – and that’s critical to securing the healthcare system. You need to understand, for example, when a tablet is, in fact, being used as a medical device because there’s an ultrasound component connected to it.
Armis then calculates a risk management score for each asset, so that your team can prioritize IoMT vulnerabilities with the potential to impact patient safety the most. Our cybersecurity and asset management platform maps to vulnerability and compliance databases and pulls in FDA alerts. In case of a threat, Armis can automate blocking or quarantining actions via integrations with your existing infrastructure, such as firewalls, NAC, or switches.
See in action what Armis can do to secure medical and non-medical devices in healthcare environments. Request a custom demo now.
Frequently Asked Questions
Threat vs vulnerability: What’s the difference?
Threats have the potential to create harm by stealing, damaging, or disrupting operations, while vulnerability refers to weakness in hardware, software, or procedures.
Threats take advantage of vulnerabilities. For example, WannaCry is a malware threat that exploits vulnerabilities in the Windows SMBv1 server.
What are the different types of threats?
There are three main types of threats:
– Intentional threats refer to purposeful actions to cause damage. For example, phishing and ransomware.
– Unintentional threats refer to actions caused by mistake, negligence, or lack of knowledge. For example, giving the wrong form to a patient.
– Natural threats refer to meteorological or geological events that can cause harm. For example, natural disasters such as earthquakes and hurricanes can lead to the destruction of data centers.
Check out all IoMT Playbook Chapters:
- Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
- Chapter 2 – The Hurdles of Internet of Medical Things Security 👈 you are here
- Chapter 3 – A history of medical device hacking
- Chapter 4 – How to mitigate ransomware in healthcare
- Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
- Chapter 6 – How to improve patient data security
- Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
- Chapter 8 – How to spot the top indicators of compromise in healthcare
- Chapter 9 – The fundamentals of medical device cybersecurity
- Chapter 10: Which role can you play in strengthening cybersecurity in healthcare moving forward?