If a hospital doesn’t know how many Internet-connected medical things (IoMT) it has, then it probably doesn’t know how vulnerable it is to cyber-attack. Cyber security is often not a priority for medical device vendors and as a result these devices are very vulnerable to cyber threats. In fact, SANS reported that about 17% of cyber-attacks in a hospital originate from medical endpoints.
Unfortunately, for the manufacturers of most IoMT, which include infusion pumps, MRI machines, x-ray machines, heart monitors, blood gas analyzers, and more, cybersecurity has been an afterthought. So it’s no wonder that IoT security researchers are finding that medical devices are riddled with malware that allows for them to be misused in so many different ways, including providing a portal to lateral movement inside a facility’s network.
IT security experts agree that IoMT are the weakest spots in a hospital’s security umbrella. If they are compromised, it could put a patient’s health, safety, and privacy at risk. According to Brian Selfridge at a Health Care Compliance Association webinar, “Medical devices have become an open door to the healthcare environment by virtue of the relatively lax security posture.” 77% of hospitals now report that security risks around connected medical devices is their top concern, yet very few have strategies or tools available to protect themselves.
Lack of Tools to Secure IoMT
Security often starts with visibility; traditional IT security tools lack the context of IoMT. For these traditional tools every medical asset is simply an IP address on the network. Without knowing whether the device behind an IP address is really an IV pump or an MRI machine, it is not possible for these solutions to effectively secure them. Context often determines the security policies that should be enforced.
Security teams at hospitals lack dedicated tools to secure their IoMT networks. As a result, traditional IT security solutions are often re-purposed and used in this environment. These solutions weren’t designed to protect a diverse group of medical devices that have a wide variety of hardware, operating systems, and software applications.
Each malware and attack in such diverse infrastructure is unique and the traditional signature-based or heuristic approach of detecting malware at the endpoint or the perimeter fails to protect such heterogeneous infrastructure.
To make things worse, the signatures and heuristic rules are mostly there to detect threats that are targeted towards the traditional IT infrastructure and not the purpose-built IoMT. The industry really demands a new way of thinking that focuses on the context and behavior of connected medical devices as opposed to developing and distributing signatures of known malware. Security philosophies have to evolve from threat detection to allowing healthcare facilities to apply risk management techniques.
New Regulatory Standards
New regulatory standards are being developed to cover IoMT. It has never been more critical to balance the priorities of safety, security, and effectiveness of care. HIPAA is now extending its reach to cover Internet of Medical Things given that they often store sensitive patient information.
This year is going to be pivotal as the U.S. Department of Health and Human Services (HSS) Office of Inspector General (OIG) begins security audits that will include IoMT. Healthcare organizations will need solutions that provide unparalleled visibility into the medical device infrastructure to reveal vulnerabilities and hidden threats.
Cyber threats are ever present, is your healthcare organization adequately prepared?