With the recent announcement of the “U.S. Cyber Trust Mark” cybersecurity labeling program for Internet of Things devices, the security landscape for hospitals’ Internet of Medical Things (IoMT) devices and equipment is set to undergo significant changes. Below, Shankar Somasundarum, CEO of security provider Asimily, shares what this new program means for healthcare delivery organizations.
24×7: How will the new cybersecurity labeling program for IoT devices announced by the White House affect the security of hospitals’ IoMT devices and equipment?
Shankar Somasundarum: It’s great news that the government is now taking more action on IoT device security, especially after an FDA appropriations bill late last year fell short of more stringent requirements for medical devices. While the new labeling program is more focused on consumer devices at its onset, it’ll be interesting to see how it will be rolled out and expanded.
Within consumer devices, medical devices used in home healthcare will likely be covered initially, which should increase consumer confidence in buying and using connected healthcare technology. But many details still need to be figured out—and hospitals and other healthcare delivery organizations, or HDOs, should be paying close attention, as this will soon affect them directly.
As headlines have shown, breaches of Internet-connected healthcare devices and equipment can be extremely valuable (and unfortunately relatively soft targets) for attackers. The more that government action can combine with security solutions, the better protected HDOs will be.
24×7: From your position as Asimily CEO, what implications do you see for healthcare delivery organizations regarding the “U.S. Cyber Trust Mark” and its impact on IoMT security?
Somasundarum: One of the interesting parallel trends here is healthcare delivery organizations moving to provide more of their care in settings outside of the hospital or healthcare facility. The mark would enable the healthcare system and the patient to use IoMT devices with more confidence. That, in turn, would accelerate telehealth initiatives and lead to greater patient satisfaction. I think this could be a nearer-term and positive impact of the program.
24×7: What are the current security challenges and risks that HDOs face in relation to IoMT devices, and how will this labeling program address them?
Somasundarum: HDOs have large, heterogeneous mixes of IoMT devices. These devices have their own constraints, which leaves the HDO with plenty of work to do to thoroughly secure internet-connected devices and equipment in their environment. Then, as HDOs continue to procure new devices, they must understand the security posture of what they are bringing in. Only a small fraction of HDOs, globally, can closely inspect an IoMT device they are buying. Having this certification would enable HDOs to access more secure devices.
24×7: In your opinion, does this government action go far enough in ensuring the security of IoMT devices, or are there additional measures that should be considered?
Somasundarum: I think additional measures can—and should be—taken. A lot of HDOs are under the misconception that if they don’t know about the security risks in the environment, they are not responsible if something goes wrong. That’s just not the case. And IoMT devices are particularly not well-understood yet, even as HDOs modernize patient care around them. I think we’ll see more action via a greater push to secure the IoMT devices used everywhere: across both consumer and HDO environments, and government mandates will move this along.
24×7: How can the U.S. Cyber Trust Mark enhance transparency and accountability in the healthcare sector regarding the security of IoMT devices?
Somasundarum: Since insufficiently secure IoMT devices can lead to unfortunate consequences, this mark will add a nice confidence boost. The mark could also be used as a standard for securing devices at procurement within the hospital environment, which would ensure that the ecosystem is secure overall. Also, I think the mark and criteria will allow HDOs of all sizes to have more constructive discussions on cybersecurity with IoMT device manufacturers and suppliers.
24×7: Are there any concerns or potential drawbacks associated with the implementation of this labeling program—and, if so, how can they be mitigated?
Somasundarum: The devil is really in the details here. A well-thought-out set of criteria is critical. Considering the heterogeneity of IoMT devices, the criteria should allow for certification from the lowest-end devices with basic firmware to the highest-end devices with a full-fledged operating system and the ability to store data. (Also, since this will touch an especially wide range of consumer devices, plans must be set so that such certifications happen in a timely manner.) The reality is that security must live side by side with operations, and the clearer the criteria and more streamlined the process, the more likely that this program will be successful.