Why the Internet of Medical Things needs a new approach to cybersecurity—and how those in healthcare technology management can play a role in championing it.
By Stefani Kim
Though hospitals and other healthcare facilities are often seen as havens of healing and recuperation, the systems designed to provide life-extending therapies are vulnerable to an insidious threat: cyberattacks. The faceless, nameless entities perpetuating these crimes can exploit the weaknesses in a network, commandeering the functionality of lifesaving medical devices such as infusion pumps, pacemakers, and mobile cardiac telemetry.
Hackers can gain control of confidential patient records and essential equipment to be manipulated for nefarious purposes, or even hijacked for ransom.
Why Cyberattacks Are So Prevalent in HTM
Part of the problem resides within the growing trend of device interconnectedness to the Internet of Medical Things (IoMT), a complex network that integrates healthcare tools with IT systems. Though the system allows patients to be remotely monitored, medication to be tracked, and other features designed for streamlined care and ease of use, it is also highly prone to attack due to its limited capacity for security add-ons as well as its connection to often unsecured networks.
Hackers may strike because they know that networks are vulnerable and others may be after patient data that they can sell on the dark web or hold hostage for a large payout.
Further reading: Confronting the Healthcare Cybersecurity Labor Shortage
Even the FBI has acknowledged the severity of the issue, issuing a formal warning in 2022 that detailed recommended steps healthcare operations could take to secure their devices.
Given these gaping weaknesses in security, it’s essential for healthcare facilities to take heed of warnings and develop a plan to protect their most critical networks and devices, experts advise.
Addressing Potential Vulnerabilities
Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, a medical device cybersecurity expert and chief security strategist at San Diego-based MedCrypt, advises taking a risk-based approach in identifying devices most likely to be compromised and then assessing the degree of harm.
Devices with “pervasive vulnerabilities” to cyberattacks could include “legacy devices with outdated software, or devices of poor security design, or devices of which there are many (i.e., form a large attack surface), as well as essential life support devices like ventilators and pacemakers and devices that, if compromised, could harm a patient (e.g., drug or radiation delivery systems).”
Finally, the impact on “care delivery” is an equally important consideration, Wirth says, as “a CT scanner in general radiology is less of a concern than a CT scanner in the ER that supports incoming stroke patients.”
Ali K. Youssef, a director of medical device and IoT security for the Detroit-based Henry Ford Health organization, says that networked legacy devices tend to pose some of the highest risks due to their extended lifespan, which can stretch up to 20 years. But it’s not just older systems that could be easily compromised.
“Imaging devices are generally high tech, rely on off-the-shelf operating systems, and are often amongst the most vulnerable. Any medical device being added to a hospital network without the appropriate level of security scrutiny throughout its lifecycle can be problematic,” he says.
A recent risk evaluation by Vedere Labs, the cybersecurity research arm of Forescout Technologies, found that DICOM (Digital Imaging and Communications in Medicine) workstations, nuclear medicine systems, and imaging PACS were some of the most vulnerable legacy devices in the IoMT family due to their interconnectedness to other devices and unencrypted communication. Presenting an even bigger challenge, however, are the devices hiding in plain sight, according to Eric Maze, a medical device security engineer at Rush University Medical Center.
Further reading: 5 Elements of a Comprehensive Cybersecurity Strategy
“Inventory and securing what you own are the most important factors when it comes to medical devices. Oftentimes, devices are brought in, whether by demo or a physician, that end up on a hospital network and potentially bypass all security protocol,” he says.
Allowing equipment to fly under the radar without proper evaluation could be an open door to criminals seeking to exploit any weakness they can find in a network.
“At times, vulnerabilities don’t get properly addressed due to poor visibility, or unmanaged devices not receiving critical updates or security patches to remediate known threats. This includes servers and legacy equipment that is no longer supported. The legacy devices should have compensating controls to add an additional layer of protection including OS hardening where applicable,” Maze advises.
How to Secure Medical Devices
One comprehensive solution that experts suggest for securing devices are known as passive network monitoring, or PNM, tools, “intuitive technology solutions [that] passively monitor the network traffic without disrupting network-enabled services and parse metadata so that they can be better understood,” according to an article in Biomedical Instrumentation & Technology by Priyanka Upendra, BS, MS, CHTM, AAMIF, a senior director of customer success at Asimily. “Because of the unique challenges of connected medical devices, PNM is preferred because critical care delivery services are not interrupted as a result of active scanning,” the article says.
PNM tools work without the installation of agents or the active scanning of networks, which helps prevent downtime for crucial devices, and is a critical selling point for their utility.
“PNM tools passively collect network traffic via SPAN (Switched Port Analyzer)/TAP (Test Access Point)/other packet broker techniques. This passively collected traffic is then assessed to disintegrate information that is useful to manage inventory, vulnerabilities, utilization, incidents, etc,” Upendra says.
Further, the tools’ sophistication means it can analyze a wide range of vulnerabilities within a complex network of devices and uses, an unwieldly task for any one person or department to try to tackle, Upendra says.
“PNM allows automated inventorying of network connected devices/equipment, without which, the time, effort, and skill set needed to manage the inventory is exponential as the complexity and frequency of use of devices goes up. PNM uses AI [artificial intelligence] and ML [machine learning] to automate and correlate vulnerability information for devices and their internal and external complements.
Without this, manually evaluating over 50-100 vulnerabilities and the exploit techniques is practically impossible. PNM evaluates the configuration and behaviors of devices and establishes patterns of anomalous behaviors. Doing that manually or with traditional IT tools is impossible for clinical devices. Same goes for utilization,” she says.
Best Practices in Curbing Cyberattacks
Unfortunately, many healthcare organizations dedicate too little time or resources to prevention of security threats and are made aware of their vulnerabilities only after a cyberattack occurs and they are forced to react defensively. Several of the experts 24×7 spoke with provided a list of “best practices,” or steps an organization could follow in order to stave off future threats well in advance of their systems potentially being appropriated by shadowy cybercriminals.
Maze, the Rush University security engineer, provided the following list:
- Offer full visibility of the entire biomedical inventory. This should include all IoT devices in the healthcare system even if they are part of other accounting unit inventories apart from your biomedical fleet.
- Have strong security protocols in place on the network as well as a segmented medical device subnet.
- A vulnerability management program setup along with an incident response plan in the event of any adverse anomalies detected, and what that blast radius might impact.
- A strong medical device management plan should also be in place that would include: procurement, continued maintenance, identifying risks, identifying whether the device stores or transmits ePHI [electronic protected health information], and a decommissioning process in place to properly remove devices from the network and the facility. A cradle-to-grave approach to your medical devices and IoT equipment.
- A strong inventory of what you own, and the proper nomenclature of those devices to assist with security threats, recalls, known CVEs [Common Vulnerabilities and Exposures], and the management of zero-day risks and their potential impact to your network, patient safety, and securing data.
- An integrated security tool to help manage your fleet that is connected directly to a CMMS [computerized maintenance management system] is ideal to help manage all of the above.
Youssef, director of security for Henry Ford Health, has the following health delivery organization best-practice list recommendations, which align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):
- Maintain an inventory of all medical devices connected to your network, and keep track of their location, make, model, firmware, and other key details.
- Regularly scan your medical devices for vulnerabilities and apply patches and updates as soon as they become available.
- Use strong passwords and other access controls to limit access to medical devices only to authorized personnel. Implement two-factor authentication wherever possible.
- Segment your network to isolate medical devices from other systems and limit the risk of lateral movement, in case of a breach.
- Implement continuous monitoring and logging to detect and respond to potential security incidents in a timely manner.
- Use encryption whenever possible, to protect data in transit and at rest on medical devices.
- Secure physical access to medical devices to prevent tampering and theft.
- Train and educate staff on the importance of cybersecurity, including the risks associated with medical devices, and how to identify and report security incidents.
In order to implement a cybersecurity strategy, an organization must ask itself two imperative questions, advises Wirth, chief security strategist at MedCrypt: ‘What do I have?’ and ‘What do I need?’
“The ‘have’ question is related to completeness and quality of asset inventory (i.e., I need to know every device on my network and for every device, I need to have all cybersecurity-relevant information). This will lead to the ‘need’ question, ie, defining the desired level of security I want to accomplish. With these two answers I can now prioritize and manage security concerns that may exist for any given device (eg, deploy patches and updates, segment networks, etc…),” he says.
Over time, it may be possible to solve the issue of legacy devices with unreliable security by upgrading to more technologically savvy products with built-in protection.
“Further, once I have defined my ‘needs,’ I can also start shifting my procurement strategy to be inclusive of cybersecurity considerations, specifically, include security requirements in my acquisition decisions and future contracts. This will, over time, push security responsibility back towards the manufacturer and will shift my asset inventory to a more secure state by replacing legacy and relatively insecure devices with products that are better secured and can be better managed to maintain their security posture in the future,” says Wirth.
Cyberattack Prevention: Adapt and Evolve
In a post-pandemic healthcare landscape shifting toward increasing technological and remote telehealth options, the need for ultra-secure devices and networks designed to thwart cybercriminals, has never been greater. As hackers become more sophisticated in their attacks, organizations must be ready to counter their every strike in order to avoid massive financial and reputational damage.
“I would say, in general, healthcare organizations have a fairly poor security posture. Of course, there is always a range, but relative to other industries, healthcare has been spending less on security and also has more difficulties to attract the right talent,” says Wirth.
Change may be slow to arrive though, and healthcare facilities may fail to see the value of implementing security until it’s too late. “I believe most organization are generally aware of this problem but may not have full visibility into their specific vulnerabilities. Unfortunately, practical and budget realities will resist a quick solution to this problem,” he says.
Stefani Kim is a contributing writer for 24×7. Questions and comments can be directed to 24×7 chief editor Keri Forsythe-Stephens at [email protected].