Jan 3, 2023

Chapter 7: Why healthcare IT security can’t protect against IoMT vulnerabilities

Healthcare vulnerability

Vulnerability management can help hospitals monitor all their devices, assess risks, prevent threats, and meet compliance requirements. The result is improved cyber resilience, operational continuity and, most importantly, patient safety. 

Yet, putting into practice a vulnerability management program ranks among the biggest security challenges for the sector, per the 2021 HIMSS Healthcare Cybersecurity Survey

In this article, part of our Internet of Medical Things (IoMT) security series, we look at the limitations of traditional IT vulnerability management programs and offer a blueprint for effective assessment of vulnerabilities in the healthcare industry.

Explosive growth in IoT healthcare devices opens the door to more vulnerabilities

The healthcare device ecosystem is more connected than ever. Medical device manufacturers are taking advantage of the Internet of Things (IoT) in healthcare to reduce costs and improve convenience.

For example, Internet of Things devices are taking on a medical context in hospitals. You can leverage a peripheral component plugged into a tablet to use it as a mobile ultrasound. Vendors are also using Raspberry Pi to power medical technology. These initiatives lower costs but create healthcare security blind spots if you don’t understand the context in which these assets are used.

IDC forecasts that the number of connected IoT devices will reach 55.7 billion by 2025. The growth of connected assets in healthcare expands the attack surface. More connected devices and systems mean increased IoT vulnerabilities in healthcare. In fact, 63% of the respondents of Armis Censuswide survey have dealt with one or more security incidents related to unmanaged IoT healthcare devices.

What is a vulnerability?

Vulnerabilities are weaknesses in hardware, software, and procedures that could be exploited by threat actors, posing cybersecurity and clinical risk factors to organizations. 

For example, a vulnerability in the software of an infusion pump could lead to unauthorized access to these devices. A possible risk could be the overdelivery of medication, which can have a negative impact on patient care.

Why you need to map vulnerabilities to secure IT, OT, IoMT, and IoT in healthcare

In 2021, the National Institute of Standards and Technology (NIST) recorded more than 20,000 vulnerabilities. When not remediated, device and software vulnerabilities can expose hospital networks to exploits and cyberattacks.

No wonder vulnerability management is a market in expansion, expected to grow to 21.38 billion by 2028, up from 11.26 billion last year, per Brandessence Market Research. The increased number of cyberattacks on the healthcare industry — leading to massive financial losses and disruption to health services and patient care — has been a driver of rapid adoption of vulnerability management solutions.

Looking for ways to better manage medical device vulnerabilities? Download our white paper.

Limitations of traditional cyber vulnerability management programs

Findings from the SANS Vulnerability Management Survey 2022 indicate that 77% of the surveyed organizations have a formal vulnerability management program, but only 43.8% of these initiatives include IoT/ICS.

Traditional healthcare IT security has limitations when it comes to OT, IoT, and IoMT vulnerabilities.

Here are three pillars of traditional IT methods that can’t be applied to healthcare cybersecurity:

1. Agent-based technology

A traditional approach to vulnerability management is all about endpoint detection. This model works well for IT devices such as computers and servers because they can accommodate security agents. However, more than 50% of connected medical devices are unmanaged assets and, for this reason, are unable to support security agents.

Healthcare security requires the deployment of an agentless security solution like Armis, which doesn’t install security agents and is able to identify and monitor all assets (IoMT, IoT, OT, IT) to provide comprehensive visibility.

2. Use of vulnerability scanners

Vulnerability scanners are a hallmark of traditional IT security. However, scans are intrusive tools that probe your network, which can be disruptive in the case of sensitive OT, IoMT, and IoT in healthcare. 

Scans are notorious for crashing devices, and you don’t want a medical asset malfunctioning when it’s touching patients. Hospitals need a passive solution like Armis, which monitors the environment quietly.

3. Inability to patch legacy assets

Unsupported legacy technology is commonplace in hospitals. Old devices can’t be easily patched or replaced. Slow patching is also a concern. It’s staggering that a vulnerability for which a patch was available, but not applied, was behind 53% of the breaches reported in a Ponemon Institute survey.

4. Emphasis on vulnerability scores and databases

Traditional vulnerability management programs rely on databases such as the Common Vulnerabilities and Exposures (CVE) by MITRE and the National Vulnerability Database (NVD). Systems often classify the threat level of a vulnerability based on the Common Vulnerability Scoring System (CVSS). 

This approach doesn’t take into account the clinical context of vulnerable assets. Let’s say you have a connected medical device that is running XP and has a vulnerability with an exploit. You need to understand if the vulnerable device is touching patients because it suggests a context of increased risks.

Steps to improved healthcare vulnerability management

The evolution of medical devices requires healthcare delivery organizations (HDOs) to change how they approach asset vulnerability management. Hospitals need to shift to a holistic risk-based approach. Here’s how:

1. Leverage comprehensive asset inventory and visibility

Visibility should be the foundation of a vulnerability management program. In fact, creating a system inventory — key to visibility — is a critical step of the NIST 800-40 standards. 

You can’t secure healthcare devices you can’t see or know about. However, asset visibility is a challenge in healthcare, with only 36% of respondents of a Ponemon study saying their HDOs know where all medical devices are.

2. Bring biomedical, clinical engineering, and security teams together

Effective healthcare vulnerability management requires collaboration between biomedical, clinical engineering, and IT security teams. Overcoming these silos is critical to better understand clinical workflows and the impact that vulnerabilities might have on patient care.

3. Prioritize remediation based on clinical risk factors

Remediation efforts should be prioritized based not only on the severity of the vulnerability — following the CVSS ratings, for example — but also on the potential impact on the quality of care. And Armis can help with that.

Watch our webinar to learn more about our innovative approach to IT, OT, IoMT, and IoT vulnerabilities in healthcare.

Manage healthcare IoT vulnerabilities with Armis

Need help to overcome the challenges of IoT in healthcare? Get in touch with our team. Test drive our platform and see for yourself how we strengthen your hospital’s IT, OT, IoMT, and IoT security defenses.

Frequently Asked Questions

How does Armis secure public and private healthcare organizations?

Armis secures private and public healthcare organizations by identifying and monitoring all its digital assets — IT, OT, IoMT, and IoT devices. The Armis platform is an agentless solution, which means that no security agents are installed on the devices. The monitoring is passive so it doesn’t disrupt sensitive healthcare devices. 

Our Collective Asset Intelligence Engine tracks over 3 billion assets around the world, enabling our platform to identify when a device is behaving abnormally and trigger automated remediation. 

Read our solution brief to learn more about asset vulnerability management with Armis.

Risk vs vulnerability management: What is the difference?

As weaknesses in digital assets, vulnerabilities can pose risks, which are the potential negative impact that an event might have. Managing vulnerabilities is therefore critical to an effective risk management strategy.

While vulnerability management identifies, assesses, prioritizes, and mitigates vulnerabilities, risk management identifies, assesses, and prioritizes measures to minimize risks and their impact.

What are the examples of vulnerabilities in cybersecurity?

Examples of vulnerability in cybersecurity include outdated or unpatched software, misconfiguration of digital assets, and the use of weak passwords. 

Explore our insights about vulnerabilities that affect the most devices.

What is 0-day vulnerability?

A 0-day vulnerability is a vulnerability discovered by cyberattackers but still unknown to those responsible for its mitigation. 

In a cybersecurity brief about zero-day attacks, the U.S. Department of Health and Human Services (HHS) reminded health systems that the most effective method for mitigation is patching, which can be challenging when it comes to legacy systems and IoT in healthcare.

An example of zero-day vulnerability in healthcare is PwnedPiper — a set of nine critical vulnerabilities identified by Armis in the Translogic PTS system by Swisslog Healthcare. If not patched, these vulnerabilities allow for cyberattacks to take control over these pneumatic tube systems, used by more than 80% of hospitals in North America. Intruders could use infected devices to harvest credentials, move laterally, and launch a ransomware attack.

How long does it take to patch vulnerabilities?

The time taken to patch vulnerabilities usually depends on their severity. Findings from the HIMSS Healthcare Cybersecurity Survey indicate that most organizations respond within one week for vulnerabilities that are low and medium in severity and within 48 hours in the case of vulnerabilities with high and critical severity.

Read all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare
  5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
  6. Chapter 6 – How to improve patient data security
  7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities 👈 you are here
  8. Chapter 8 – How to spot the top indicators of compromise in healthcare
  9. Chapter 9 – The fundamentals of medical device cybersecurity 

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask