The last few years have witnessed the healthcare industry’s journey toward digitisation.Securing a healthcare service provider’s medical infrastructure needs to be prioritised, as cyberattacks continue to target critical equipment that support patient care. Most IoMT devices were not designed with security in mind, making them especially vulnerable to compromise. A robust medical device security strategy is important to free healthcare organisations from the worry of cyberattacks to focus on bringing about positive patient outcomes.
As hospital systems adopt a broad range of medical IoT applications, many are adding connected medical devices that put their healthcare operations — and patient lives — at risk. The proliferation of unmanaged and unaccounted IoMT devices, their disparate nature, lack of security by design, and dependence on unsupported operating systems, together with network and internet connectivity, considerably widens the attack surface.
Smart medical devices are needed for critical patient care around the clock and cannot necessarily be taken offline for patching and security maintenance. This leaves the devices operating in a vulnerable state in the field.
Research by Palo Alto Networks Unit 42 Threat Research found that medical devices are the weakest link on the hospital network as they bear critical vulnerabilities. 75 per cent of infusion pumps studied had at least one vulnerability or threw up at least one security alert. Imaging devices, such as X-Ray, MRI and CT scanners, were particularly vulnerable. 20 per cent of common imaging devices were running an unsupported version of Windows, and 44 per cent of CT scanners and 31 per cent of MRI machines were exposed to high-severity vulnerabilities.
The healthcare industry continues to be a top target for threat actors. As the industry rapidly adopts new and innovative medical technologies, exposure to cyber threats also increases. The biggest challenge for healthcare organisations with unmanaged devices is that many of them were introduced to the hospital network without IT visibility or proper documentation over the years. The corporate IT and security teams often do not have great visibility of exactly where these devices are, how and why they connect to the network, what type of business functions they perform, what type of data is being processed and stored locally, and what type of vulnerabilities are present on these devices.
Relying heavily on a legacy, perimeter-based security is no longer adequate for protecting a healthcare organisation’s assets. Mobile users and devices moving on and off the corporate network, data and applications moving to the cloud, covert malware, and attacks masquerading as legitimate applications or hiding in encrypted traffic have blurred the edges of that perimeter.
When these events occur, there can be a significant impact on individuals who have their information disclosed and a loss of trust in the organisations that were breached. A substantial financial impact due to loss of business, damage to reputation, and potential fines resulting from the breach can also pose a material risk to the impacted organisations. It does not matter if the loss occurred because of accidental exposure or a malicious act; the impact to a healthcare organisation that has a breach or data loss event is real.
Manufacturers of medical devices should invest in cybersecurity upskilling and capabilities that would minimise any vulnerabilities in their devices. Manufacturers have a responsibility to ensure their devices are secure by design and in fact, the issue of critical medical devices being manufactured in an insecure state has resulted in many jurisdictions passing legislation to mandate minimum level of cyber security for all new IoT devices.
Procurement teams of medical devices should do their due diligence by researching and ensuring the manufacturers they buy from incorporate security measures in making the devices. Medical institutions can provide an optimum, secure patient experience by implementing zero-trust policies through automated device discovery, contextual segmentation, least privilege policy recommendations and one-click enforcement of policies.
IoMT security needs to be taken seriously, making it vital for all healthcare security chiefs to develop and implement successful IoMT security strategies.
A robust medical device security strategy can free up healthcare organisations from the worry of cyberattacks to focus on bringing about positive patient outcomes.
Healthcare service providers will need an ironclad strategy that offers complete visibility on how people will interact with them and ensure that security is baked in all steps of their approach, from the planning stages all the way through the running phase. They should look to protect the data they collect whilst applying the principle of “Trust nothing, validate everything”, or Zero Trust. Current IT systems will have to evolve in order to manage the new and evolving cyber threats in today’s digital landscape.
Healthcare organisations face an urgent need to tackle IoMT security challenges head-on. The most basic step in securing IoMT begins with obtaining trusted visibility and classifying all IoMT devices across hospital networks, data centres, endpoints, remote clinics, mobile assets and cloud environments. By doing this, healthcare IT teams will be empowered to take a prevention-first instead of an alert-only approach to keeping medical devices safe from potential threats.
Traditional perimeter-based security wrongly assumes that all users and devices inside the organisation’s network can be trusted and that a full security stack at the internet edge is sufficient for securing the organisation’s data. In this approach, implicit trust is granted in the private zone of the perimeter firewall.
Attacks on sensitive data rarely use just a single exploit or compromised credential. Attackers use a combination of exploits, malware, compromised credentials, and other methods together to work their way from their beachhead in an organisation to the target system. Often attackers use one method after another.
The biggest challenge for many organisations is defining a consistent security model that holistically provides the required security controls across the organisation. Adopting a Zero Trust approach helps remedy the vulnerabilities associated with implicit trust in current security policies.
The Zero Trust approach is based on the principle that no user, device, or transaction from inside or outside of the network can be trusted. Eliminating implicit trust promotes a consistent security policy regardless of the situation. The framework focuses on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. The concept of zero trust has gained popularity in the healthcare industry. Many vendors and industry experts often use the term to describe a holistic approach to improving your cybersecurity strategy.
