More than 50% of medical devices are unmanaged, which means they can communicate with other connected devices, systems, or networks to transmit data, but aren’t protected by or don’t support traditional monitoring tools, such as security agents and scans. With the growing number of unmanaged medical and non-medical devices and sensors in hospitals and clinics, the risks to patient safety tend to escalate.
In this article, part of our Internet of Medical Things (IoMT) security playbook series, we explore:
Connected medical devices have limited security controls, but the risks to hospitals’ cybersecurity go beyond IoMT itself. So let’s dive into the top hurdles of the Internet of Medical Things security.
In the first half of 2022, as well as in the three previous years, the healthcare sector has been the number one target of data breaches, according to the Identity Theft Resource Center (ITRC).
Concerns are not only with confidential medical data but also with patient care disruptions that might have life-threatening consequences. After all, the threat landscape has evolved with the rise of ransomware as a lucrative business model for criminals.
The healthcare device ecosystem is highly connected – beyond smart medical devices that are touching the patient or directly providing care. The growing number of devices connected to the internet – over 55 billion by 2025, as per IDC – leads to an increased attack surface, too.
Printers, self-check-in tablets, surveillance systems, smart lighting systems, and temperature control for vaccine storage are just a few examples of enterprise IT, Internet of Things (IoT), and operational technology (OT) in medical facilities. Hacking a smart TV in a waiting room might open the door to threats that can move laterally in often poorly segmented hospital networks and cause disruptions to patient care.
The complexity of the healthcare tech stack, due to a diverse number of devices and types of systems, makes it harder to track assets and manage their vulnerabilities. For example, hospitals need to deal with a great number of medical device vendors, each one with its own, little-known proprietary operating system. In addition, many of those devices are mobile — think of infusion pumps being moved from one room to another, which can lead to misplacement or loss.
Since medical and clinical devices are regulated and built intentionally as walled hardware to achieve a specific outcome (for example, administering a medication), they usually don’t accommodate external software. As a result, they cannot be secured through traditional endpoint agents, neither easily updated or patched.
Effective patch management is a significant concern given that cybercrime and nation-state actors have focused on discovering vulnerabilities or unpatched systems as a main method of attack, according to the 2021 Microsoft Digital Defense Report.
Medical devices don’t come with strong security controls because their design is based on desired outcomes and regulatory requirements.
The U.S. Food and Drug Administration (FDA), which regulates medical devices, has a list of cybersecurity guidances, but manufacturers are not required by law to follow them. However, currently under consideration in the Senate is the PATCH Act, a bill that would help to make manufacturers accountable for securing and patching new medical devices.
Medical devices generally have a higher lifecycle than consumer technology. Due to concerns over patching or restrictions due to FDA certifications, the operating systems and software running these devices may go untouched and unpatched for fear or rendering the device inoperable and impacting patient care.
Since medical equipment is expensive to replace, devices may even be operating outside the supported lifetime of the software they are running. An MRI machine, for example, might cost more than $400,000. Investments in hospital technology involve planning, training, and government subsidies.
Medical device manufacturers are taking new approaches, creating their own vendor-managed networks – in other words, an isolated portion of the hospital network that is specific to their devices. For example, a vendor might have 30 patient monitors placed behind a proprietary gateway, creating different layers of visibility.
Vulnerability scans don’t provide real-time and continuous monitoring. In addition, they depend on common vulnerability scoring systems (CVSS) and cannot understand context. Other methods such as network access control (NAC) are also unable to examine the behavior of devices, as the scenarios below suggest:
Medical devices have different sensitivities. You don’t know how a specific operating system (OS) will respond to the protocols of a vulnerability scanner. When the communication deviates from the expected, the device might crash.
If you are doing a scan through a workstation, the end user can likely tolerate the disruption, but a medical device malfunction while touching a patient can negatively affect care (for example, if the device stops working in the middle of surgery).
A typical hospital network is flat and divided between biomedical and corporate IT security teams, creating silos. IT is concerned with cybersecurity, while biomedical teams focus on clinical usage. Traditionally, VLAN keeps both sides separated, but it’s not designed for security.
Exposure to the IT side of the house increases risks. In fact, many threats start on the IT side, such as the case of WannaCry malware, which spread through computers operating Microsoft Windows. As per Armis research, 40% of healthcare organizations suffered from the WannaCry attack.
Healthcare delivery organizations often lack the visibility to expand their vulnerability management programs to medical devices. Asset inventory is often a manual effort where healthcare professionals do a site survey, literally walking through every single room to see what they have and writing it down in an Excel sheet.
Improved Internet of Medical Things security requires a holistic, automated inventory of every digital asset (IT, OT, IoT, and IoMT), regardless of who purchased them (IT or biomedical teams). In order to support today’s healthcare innovations, hospitals need a comprehensive cybersecurity and asset management solution that is able to monitor all devices, including those that cannot accommodate security agents.
As an agentless and 100% passive platform, Armis discovers and classifies all assets and monitors network traffic in real time without relying on security agents or scans. Here’s a preview of what complete asset inventory management looks like with Armis:
Armis provides additional context about each asset – and that’s critical to securing the healthcare system. You need to understand, for example, when a tablet is, in fact, being used as a medical device because there’s an ultrasound component connected to it.
Armis then calculates a risk management score for each asset, so that your team can prioritize IoMT vulnerabilities with the potential to impact patient safety the most. Our cybersecurity and asset management platform maps to vulnerability and compliance databases and pulls in FDA alerts. In case of a threat, Armis can automate blocking or quarantining actions via integrations with your existing infrastructure, such as firewalls, NAC, or switches.
See in action what Armis can do to secure medical and non-medical devices in healthcare environments. Request a custom demo now.
Threats have the potential to create harm by stealing, damaging, or disrupting operations, while vulnerability refers to weakness in hardware, software, or procedures.
Threats take advantage of vulnerabilities. For example, WannaCry is a malware threat that exploits vulnerabilities in the Windows SMBv1 server.
There are three main types of threats:
– Intentional threats refer to purposeful actions to cause damage. For example, phishing and ransomware.
– Unintentional threats refer to actions caused by mistake, negligence, or lack of knowledge. For example, giving the wrong form to a patient.
– Natural threats refer to meteorological or geological events that can cause harm. For example, natural disasters such as earthquakes and hurricanes can lead to the destruction of data centers.
Check out all IoMT Playbook Chapters:
Sign up to receive the latest news