Connected medical devices, also known as the Internet of Medical Things or
IoMT, are revolutionizing healthcare, not only from an operational standpoint
but related to patient care. In hospital and healthcare settings around the world,
connected medical devices support critical patient care delivery and a wide
variety of clinical functions, from medical infusion pumps and surgical robots to
vital sign monitors, ambulance equipment, and so much more. At the end of the
day, it’s all about patient outcomes and how to improve the delivery of care, so
this kind of IoT adoption in healthcare brings opportunities that can be
life-changing, as well as simply being operationally sound.
Yet, enabling these amazing patient outcomes through IoT technology brings with it an associated set
of security risks to hospitals and patients that are in the news far too often. Ransomware, for example,
is a particularly prevalent threat to healthcare providers around the world. In August 2022, the French
hospital Centre Hospitalier Sud Francilien (CHSF) was the victim of a ransomware attack that disabled
medical imaging and patient admission systems. And in October 2022, CISA issued an advisory to healthcare providers warning of a ransomware and data extortion group targeting the healthcare and
public health sector with a particular interest in accessing database, imaging, and diagnostics systems
within networks. But ransomware isn’t the only risk. In fact, according to a report in HIPAA Journal,
there has been an 60% increase in cyberattacks of all varieties in healthcare in 2022,1
making it an unfortunately routine aspect of delivering care that the industry must be prepared to address.
Why Medical IoT Devices Are at Risk
There are a number of reasons why medical IoT devices are at risk. Among the most common reasons
is the fact that many of these devices are not designed with security in mind.
Many connected devices ship with inherent vulnerabilities. For example, according to research
from Unit 42®, 75% of infusion pumps have unpatched vulnerabilities.2 Over half (51%) of all X-Ray
machines had a high severity CVE (CVE-2019-11687), with around 20% running an unsupported
version of Windows.3
Unit 42 research also found that 83% of ultrasound, MRI, and CT scanners run on an end-of-life
operating system.4 Those operating systems have known vulnerabilities that can potentially be
exploited. Attackers are known to target vulnerable devices and then move laterally across the
organization’s network to infect and damage the rest of a hospital network.
The impact of medical IoT device vulnerabilities is serious and potentially life-threatening. It’s not
always easy and sometimes not even possible to update or patch some of these devices, either because
doing so requires operational disruption of care delivery or due to a lack of computing capability of
many types of devices. As a result, we’ve seen patient data exposed. We’ve seen hospital operations
halted. While the attack potential is widespread, healthcare providers can take proactive steps to help
minimize the vast majority of device-related security risks.
Four Necessary Steps to Improve Medical IoT Security
Among the challenges that medical facilities and health providers face is actually being aware of all the
connected devices that are present. Visibility, however, isn’t the only thing that is needed to improve
medical device security. In fact, there are four steps that can be taken to secure devices and reduce risk:
- Ensure visibility and risk assessment of all connected medical and operational devices. The first
step in securing IoT in healthcare is to know what’s there; you can’t secure what you can’t see.
Device visibility isn’t enough—you have to be able to continuously assess the risk the devices and
their evolving vulnerabilities pose to the network. - Apply contextual network segmentation and least-privileged access controls. Knowing a device
is present is useful. What’s more useful is understanding what network resources or information
can be accessed by the device. That’s where network segmentation comes into play, creating and
enforcing policies that limit device access to only the resources necessary for its intended use and
nothing more. - Continuously monitor device behavior and prevent known and unknown threats. As these
devices communicate across clinical environments and with external networks and services, they
ensure that you establish baseline behavior, monitor devices for anomalous behavior, and protect
network-connected devices against threats such as malware. - Simplify operations. In order to effectively manage and secure the sheer volume of devices on
a healthcare network, providers require a solution that integrates with existing IT and security
solutions to eliminate network blind spots, automate workflows, and reduce the burden of
tedious manual processes for network administrators.
Better IoT Security Helps Ease Regulatory Compliance Challenges
Understandably, there are a lot of compliance requirements in healthcare. Healthcare compliance
covers numerous areas like patient care, managed care contracting, Occupational Safety and Health
Administration (OSHA), and Health Insurance Portability and Accountability Act (HIPAA) privacy and
security, to name a few. Any attack that involves a patient system or medical IoT device is most likely a
compliance breach, resulting in the loss of sensitive data or access to sensitive data from unauthorized
entities. Limited IoMT visibility and risk assessment make it difficult to meet regulatory, audit, and
HIPAA requirements. Having complete visibility into all devices and their utilization data reduces the
burden of preparing for compliance audits and compiling compliance reports.
Implementing Zero Trust for Medical IoT
Humans place their trust in medical professionals to improve and sustain human health. Medical
facilities rely on their technology to do the same. But trust should not be granted by default. It needs to
be continuously monitored and validated. That’s where a Zero Trust approach comes into play.
Zero Trust, in very straightforward terms, is a cybersecurity strategy that seeks to eliminate implicit
trust for any user, application, or device accessing an organization’s network. Zero Trust is not a
product. For many customers, Zero Trust is a journey. For medical IoT security, Zero Trust starts from
understanding several key things:
Who is the user of the device?
What is the device?
What is the device supposed to do?
Is the device doing what it is designed for?
On a continuous basis, Zero Trust means monitoring devices and their behavior for threats, malware,
and policy violations to help reduce the risk by validating every interaction.
Take the Zero Trust Path of Least Resistance to Improve Healthcare IoT
Healthcare IT and security teams are overburdened, so security implementation shouldn’t be
onerous. Improving security for medical IoT devices shouldn’t require a forklift upgrade of hospital
networks either.
Most healthcare providers already have network firewalls that act as enforcement points for Zero Trust
device security. When you want to enable visibility, risk assessment, segmentation, least privilege
policies, and threat prevention on the journey toward Zero Trust, it should be done with as little friction
as possible. Machine learning (ML) can also dramatically accelerate policy configuration, which can be
automated. If security becomes another big project that requires significant human effort, it has less
chance of being successful. Security needs to be integrated, easy to deploy, and as automated as possible.
Medical IoT devices help to improve human healthcare every day. Just like humans need to do the
right things to stay healthy, it’s essential for medical IoT devices to remain healthy too. Lives literally
depend on it.
