December 12, 2019
Securing Your Internet of (Medical) Things
Healthcare institutions and legislators are working hard to catch up on security practices, yet many facilities remain drastically behind the curve.
Internet of Medical Things is no longer a thing of the future; it can be rightly called a thing of today. Worldwide, a plethora of hospitals, health facilities and labs have adopted IoMT systems of iconnected devices and big data, which allows them to render error-free, personalized and overall superior healthcare services to their patients. On top of that, the demand for digitalized healthcare is growing, especially among younger generations, who are more likely to opt for medical providers offering digital capabilities.
Such a system, however, can actually become a source of security and privacy threats to a medical facility and its patients. This vulnerability is a downside of the rapid emergence of healthcare IoT, which neither the equipment makers nor medical practitioners were prepared for. For now, healthcare institutions and legislative bodies are working hard to catch up and impose medical security practices, yet many facilities remain drastically behind the curve.
In the light of grave consequences for human health and life, as well as possible financial and reputational harm to a medical facility, being ill-prepared for IoMT security violations is off-limits for healthcare executives.
It’s high time you homed in on making your healthcare IoT impregnable, and this article will serve as a guide on this journey. Read on and learn about the most common security threats that an average Internet of Medical Things is susceptible to and, most importantly, the ways to shield your connected healthcare environment against conceivable cybersecurity risks.
What Makes IoMT Vulnerable?
Put into practice, the Internet of Medical Things is a vast and miscellaneous entity, often amounting to thousands of connected devices. On average, between 15 and 20 medical devices for monitoring and treatment are implemented in a single ward in the U.S. This number is only predicted to grow: According to a study by Frost & Sullivan, by 2020 the number of operating appliances – from insulin pumps to pacemakers, from imaging systems to MRI scanners – will reach up to 30 billion globally.
So, on the face of it, detecting vulnerabilities in such a system is similar to looking for a needle in a haystack. In fact, there is a definite pattern of security flaws that most healthcare IoTs are susceptible to, and being aware of them is a stepping stone to rendering the system invincible.
See also: Why Medical Records Are Easy to Hack
Let’s go over the most common weak spots of an average IoMT infrastructure.
IoMT emerged surprisingly swiftly and in a sense caught medical authorities off guard. Healthcare facilities were unable to build designated environments from scratch due to monetary or time constraints, so the majority established their medical IoT on their legacy systems.
These systems were flawed and outdated more often than not, lacked crucial cybersecurity controls or all of the above. With time, a small share of organizations revamped their legacy systems, while the majority, according to a Forescout report, still operate on the Windows versions that are to expire by 2020, which would leave them unsupported and highly vulnerable to cybersecurity breaches.
Outdated Medical Devices
Medical devices used to be designed with no or few security considerations, and this used to suffice, as they were standalone, and threats were close to zero. Now, healthcare IoT requires medical devices to be connected within a single network, making outdated hardware a potential source of critical data exfiltration.
Apart from this, a fair share of older medical devices are not in line with the cybersecurity guidelines of the Food and Drug Administration (FDA), require manually implemented patches or are beyond repair, which makes them exposed to all kinds of internal and external security threats.
The undeniably positive trend toward increasing the number of connected medical devices has a downside: It expands the attack surface. The vaster the medical network becomes, the more foothold cybercriminals gain for infiltration. Besides, the devices commonly come from a variety of vendors, which complicates compatibility between the tools and hinders unified security measures.
Best Practices to Mitigate IoMT Security Risks
When you have a vast IoMT legacy system that you do not plan to shift away from anytime soon, limit the potential attack surface by segmenting your medical IoT.
The segmentation principle rests on individual needs and priorities: You can separate vulnerable devices only from the main network or segregate them based on their function or user types. Also, the FDA guidelines insist on separating unpatchable devices from the rest of the network and minimizing the traffic to them.
Applying this unsophisticated measure, one can successfully isolate potentially vulnerable tools from sensitive data and more secure devices, and prevent a possible malware infection from spreading across the network. Segmentation also facilitates supervision of the disparate IoMT environment.
Regular Updating and Patching
Thorough updating and security patching can become an effective preemptive measure against data breaches. However, because the medical IoT system consists of software and hardware from miscellaneous vendors, expect patch and update releases to be numerous and irregular.
This can be managed in two ways: by appointing a dedicated team to implement new versions and bug fixes as soon as they come out or automatically streamlining this process, which will require elaborate development.
Another challenge of updates in medical facilities, especially in intensive care wards and such, is that a great many life-sustaining devices cannot become inoperative even for several seconds.
Protected health information (PHI) is a coveted prize for cybercriminals who target healthcare facilities, and, in a medical IoT environment, data is more ubiquitous than ever. There is a constant flow of patients’ information within the network of devices, and a fair amount of critical information is stored on servers and devices – all an easy target unless protected.
Encryption is a baseline measure for securing the integrity of PHI. The encryption process involves using a specific algorithm to render data incomprehensible, decipherable only with a confidential key. Encryption keys should also be properly secured, and access to them should be limited to select people. Therefore, in the worst-case scenario when PHI does get stolen, a threat actor could hardly access the data or assign any meaning to it.
See also: Insurance and the Internet of Things
Machine learning (ML) can help diminish security concerns related to the Internet of Medical Things. It can serve as an extra-sensitive risk detector, recognizing suspicious activities across all the network’s devices and endpoints in real time. Beyond that, ML can monitor data exchange within the facility as well as with external entities and detect anomalies in the data flow. The technology can also be leveraged for predicting system vulnerabilities, analyzing the facility’s big data and recommending corresponding security measures.
Still, for the time being, machine learning is too young as a technology to be left to its own devices, so considerable human supervision and correction is still required.
With IoMT, It’s Better Safe Than Sorry
Internet of Things has proven to be a disruptive technology for healthcare, used to diagnose more accurately, monitor treatment progression closely and perform sophisticated procedures, to name but a few applications. At the same time, the IoMT environment is very complex, demands financial investment and upkeep and, among all things, can be the loophole for a security breach or a data loss.
Still, it is better to prevent than to treat problems, and health professionals know this like nobody else. Do not wait for the worst to happen – instead, be aggressive and implement relevant security measures to keep your facility and patients from harm. After all, with so much at stake – money, reputation, health and even lives – inaction is inexcusable.