IoT: In Healthcare, We Call it “I uh-oh T”

Healthcare IoT

Healthcare uses broad and diverse “Internet of Medical Things” devices in caring for patients. IoT medical devices include items as diverse as patient monitors, blood refrigerators, and linear accelerators used for radiation therapy. An average patient comes in contact with 10 to 15 healthcare IoT devices during a single hospital stay. A factor that complicates security is that healthcare has gotten really good at making these IoT medical devices last a long time. An example is that 20 percent of magnetic resonance imaging (MRI) machines are over 10 years old, with some still in service after 20 years. The hard part for many hospitals is that these devices still can function as intended, and they are very expensive to replace.  If you tore down these devices to their components, you most often would find an old Windows PC controlling the equipment.

Common Issues Associated with IoT Healthcare Devices

Common cybersecurity issues associated with IoT medical devices are: Vendor operational gaps, poor or no authentication, configuration vulnerabilities, application vulnerabilities, unpatched software, and no encryption. IoT healthcare devices can end up in this state for several reasons. One reason is that the time from design to FDA approval to the sale of devices can be many years leaving the original software outdated. A second historical reason is that the manufacturers of these devices (and in many ways, the healthcare providers) have assumed that they are not a target of cybersecurity attacks because they are in a “helping profession.” Unfortunately, medical IoT devices can collect personal information and can be used to gain an institutional foothold, which makes them a target for cybersecurity attacks.

Developing a Cybersecurity Program for IoT Medical Devices

To successfully understand and mitigate the cybersecurity risk of medical IoT devices, healthcare providers should implement a medical device cybersecurity program. This program should encompass the full cycle of the device, from purchase to retirement. The components of a program should include:

Leadership & Governance

Identify a specific group to oversee cybersecurity of medical devices and IoMT used in clinical and research areas. This group should include senior leadership as well as care providers. The group can take the form of Security Committee, Risk Office, Practice Committee, etc. This governance group needs to be empowered to accept or deny risk for the institution and help with policy approval, enforcement, and exceptions.

Clearly Outlined Standards

Your institution needs to define what is “good” and where you will set the bar for allowing devices on your network. With the security profile of much of this equipment being questionable, base these standards on the most significant and common security issues.

Intake Process and Controls

Integrate the IoMT program  into your procurement and purchase approval processes. Toll gates need to be in place so checks can be made on assessment completions and a risk vs. benefit decision can be made before the actual purchase. In addition, medical device specific cybersecurity language should be included in all contracts.

Prioritization Strategy

Scaling is always a problem in security, so to be the most effective at assessing and mitigating risk, focus on the IoT medical devices that pose the greatest danger. The prioritization should include elements of both security vulnerabilities as well as the patient care impacts of a device. Use the Manufacturer Disclosure Statement for Medical Device Security (MDS2) for initial input into prioritization and collect the patient impact data to be collected by the biomedical teams as required for hospital accreditation by the Joint Commission.

Assessments & Testing

You should focus your assessments and testing on IoT medical devices that are high risk. Based upon your concern and local resource availability and skills, this can be anything from a review of manufacturers material to a full-blown penetration test.

Remediation and Mitigation Sets

You should have “off-the-shelf” mitigations defined and available for different types of vulnerabilities. Still, there will be critical devices that will need hand crafted bespoke mitigations.

Metrics & Auditing

There is a need to make sure you achieve the outcomes you want and track your risk over time. Metrics are critical to make sure the program is operating efficiently and effectively. There should be leadership metrics of cumulative risks and specific devices that don’t meet standards.

Integration into an Enterprise Cybersecurity Program

The work being done and the devices that are being monitored and managed should be included as part of the overall institutional security program. This would include the use of monitoring tools, a SIEM, and a cybersecurity response plan.

Using a SIEM to Better Protect Your IoT Medical Device Data

When dealing with IoT healthcare devices, there will still be many challenges and an overwhelming number of vulnerabilities that you will find, and a security information and event management (SIEM) solution can help. The key is to make any risks visible and transparent and to prioritize your assessments and mitigations based upon risks to the institution and the patients.