Use of the Internet of Medical Things (IoMT) in hospitals is growing. IP addressable medical technologies help deliver personalized care more quickly, give healthcare professionals access to real-time data to improve diagnosis and treatment plans, and streamline processes to help save hospitals money. But their wider use increases the risk of a breach and the complex environment in which they operate presents challenges when trying to protect them.
The Internet of Medical Things is the subset IoT technologies that exist within healthcare ecosystems. Put otherwise, IoMT refers to the mesh of connected medical devices deployed within hospital networks. These medical devices are used to support clinical operations, medication management, remote healthcare, on-patient or in-patient monitoring and diagnostics. In 2017, investments in IoMT and related technology services amounted to $56 billion.
Where Did IoMT Come From?
The Internet of Medical Things is in every sense a natural outgrowth of the Internet of Things. I’m sure I don’t need to tell you that over the last several years the Internet of Things has become a huge opportunity for businesses thanks to advances in miniaturization, sensor technology, wireless connectivity, agile processes, elastic infrastructures, data storage capacities, and data processing techniques.
Healthcare is not immune to these lures and the development of healthcare-specific applications for such breakthrough technologies was inevitable. Miniaturization, for example, means that remote telemetry (and control) can be introduced to a much wider range of medical procedures and practices – allowing us to be more precise, more data-driven, and more rapidly responsive in our biological interventions. For another example, by adding transmitters and receivers to critical biomedical systems and network edges, we gain Superman-like X-ray vision to guide us where we were previously blind.
There's been an explosion of interest around IoMT and hospitals are struggling to keep up. As Jorge Rey, CISO and Director of Information Security at Kaufman Rossin, put it, "[hospitals are eager to] integrate these devices into operations to improve patient care. But by doing this they're creating new attack vectors – another area of risk for the hospitals." Specifically, networked devices create a backdoor to clinical IT networks, which, when not properly locked and monitored, can give bad actors a direct line to the soft underbelly of the healthcare industry.
In fact, the threat of network-based vulnerabilities being exploited to devastating effect is so acute that the UK’s National Cyber Security Centre recently warned that the near-term occurrence of a major life-threatening cyber attack was “in little doubt”. With lives literally on the line, the question on many minds is whether the added connectivity is really worth the trouble?
As strange as it may seem, the answer is a clear unwavering yes. Here’s why.
Why IoMT is a Positive Game Changer
Data collected from one or more devices can be translated into lifesaving insights
With a well-designed bioinformatic model and a sufficiently large sample size, smartly applied big data insights can lead to life-saving/improving outcomes. Healthcare professionals can select the best treatment plan and, with the benefit of a continuous feedback loop, alter it as needed.
Advanced manufacturing techniques have made medical devices lighter, smaller, and cheaper — increasing their field of use
Miniaturization coupled with modern wireless technologies such as BLE (Bluetooth Low Energy), NFC (near-field communication) and ZigBee, means a new generation of wearables that can be used for cases that need real-time monitoring. These smaller portable devices also increase the number of conditions that can be treated remotely, making it easier for the patient and taking the pressure off busy hospital clinics.
Using devices to automate some aspects of patient care means resources can be leveraged to greater effect
Skilled clinicians can be allocated to higher priority interventions and recalled to the patient only if there’s an emergency. Furthermore, electronic health records that store everything from a patient’s medical history, through diagnoses, to medications and test results, can be populated directly, removing another costly human intervention.
These technological innovations bring the promise of Smart Hospitals closer
Data can be drawn from medical devices and other technology assets and used by modern techniques, such as advanced analytics or artificial intelligence, to optimize operational processes and improve patient care.
IoMT Security Challenges
Without smart tooling and automation, keeping track of possibly thousands of devices is well-nigh impossible
Unlike other critical IT assets, connected medical devices are often not visible in the hospital’s Security Information and Event Management or Medical Inventory Management systems. Many IT heads don’t have an up-to-date inventory of how many connected devices they have in deployment, where they are physically, the intended use patterns for those devices, how they’re ported to the network, and what vulnerabilities they’re exposed to.
In a sprawling medical campus encompassing thousands of devices big and small, closing this gap can be a Sisyphean challenge. The proliferation of personal network devices only exacerbates the problem.
Imagine that the dots in the above image are all moving. As some leave the boundaries of the image, still more enter. The job of a hospital's IT security team is to note each dot, note its origin, note its interactions and trajectories, note its defining characteristics, note what "bad" dots look like, block the bad dots from interacting with other dots, cluster all the remaining dots into a handful of distinct groupings, and move each grouping into a separate "flow lane", make sure that your lanes remain self-contained and traffic moves in an orderly fashion, check your work, and repeat. Undertaken manually, It's a fairly impossible task to be sure.
There are challenges in securing a mix of devices from different manufacturers
The medical device industry isn’t a single vendor, single product marketplace. Each manufacturer and device has its own proprietary communication protocol with its own security implications that, when not properly understood, configured, and maintained, could lead to vulnerabilities. Additionally, the required interoperability between different device types is often achieved via improvised workarounds, at the hands of personnel who frequently lack even basic cybersecurity awareness and wherewithal — opening the door to even more threats.
A multi-player environment leads to security ownership issues
The responsibility for securing devices is spread among several key stakeholders. Hospital administrators often think device manufacturers are responsible for the IoMT security of their devices; device manufacturers think the responsibility lies with the hospitals because of the ever-changing network threat landscapes that those devices exist within. This gap in expectations is often not addressed explicitly and most operations don’t realize it’s there until disaster strikes.
Servicing, patching, and otherwise updating critical equipment is a dance with the devil
It is difficult for hospitals to forecast operational intensity and capacity as emergencies make up a large share of the burden placed on hospital infrastructure. By definition, emergencies are unexpected. This makes planning for service-related or update-related downtime very tricky. This is even more the case when that servicing needs to be coordinated and pre-arranged with a technician sent by the manufacturer. Of course, unplanned downtime is altogether dangerous.
Medical devices are often connected to legacy infrastructure that’s been developed over many years
A patchwork of systems, networks, and components using different operating systems, communication protocols and data stores is messy and difficult to maintain. Where IoMT security measures are found, they’re likely to be undermined by vulnerable, out-of-date, or otherwise insecure configurations that exist at other points within a shared digital infrastructure.
Despite the best intentions of manufactures, some medical devices already contain vulnerabilities when they’re released
The average medical device takes 5-6 years from when its finished being designed until the time that it is approved by the FDA and enters the market. That means that the technology used in even the newest devices is 5+ years old. That’s a hell of a head start to give to hackers and malicious actors pouring over that same technology applied elsewhere, looking for weak points.
By the time the medical device sees actions, it is likely to have exploitable vulnerabilities – some publicly known and some only known to cyber criminals intending to seize on them. The public vulnerabilities can at least in theory be fixed quickly, but the responsibility for monitoring those vulnerabilities and coordinating the necessary patches or reconfigurations through the manufacturer falls squarely on the hospital.
Where this responsibility is neglected or relegated a less than urgent priority status, it leaves the door wide open to the possibility of a vulnerability exploited in the wild. Of course, those vulnerabilities that are not publicly known can lurk until a diligent researcher, after-market security provider, or cybercriminal purposefully probes the device.
Busy clinical staff often lack basic cybersecurity awareness
In the spirit of professional collaboration, they might inadvertently share sensitive information through a publicly accessible and searchable forum, click through a malicious link in a seemingly innocuous email, or switch off a network monitor that’s central to system security.
IoMT security needs to also work around the fact that operations are so critical and workloads so heavy that there is an ever-present fear of changing or even directly interfacing with the network architecture. This obviously presents a challenge when it comes to improving or managing that architecture from a security point of view.
Where to Go from Here
Medical devices, connected through the Internet of Medical Things, are now a valuable part of a hospital’s technology environment and security management needs to be smart, fast, effective, and non-disruptive. The solution here is not so simple as cutting off multidirectional network communications, and intelligently restricting those communications requires ongoing monitoring and management as well as a deep understanding of medical device communication protocols and normal traffic patterns.
This is complicated to be sure, but it’s not impossible. A dynamic, integrative, continuous, and multi-layered solution is required. Done right, it will be a constant struggle; but you will be better for it, and your hospital will be much safer.
The complications associated with IoMT security – including the lack of operational/asset visibility, the pervasive multi-device multi-manufacturer reality, the need for interoperability, the lack of manufacturer ownership of the threat, the patchwork multi-generational technology infrastructure typical of hospitals, the fear of changing or even directly interfacing with the network architecture, the absence of context-aware firewall intelligence, the proliferation of personal network devices, the fact that operational continuity is literally a matter of life and death, and the absence of general cyber awareness among staff – are not easy things to contend with. But these challenges must be met and addressed all the same.
As with anything, you'll need to take stock before you can take control. These are the basic steps to securing an IoMT environment:
- Prepare an inventory of connected devices and clinical assets spanning the entirety of your hospital network.
- Make sure that your inventory includes vital information for each device – including device type, other devices or network processes involved in normal use, clinical need, etcetera.
- Devices should be audited for known vulnerabilities and all relevant patches should be implemented.
- Custom security access policies / VLAN configurations should be defined for each device type, criticality group, and risk profile then plugged into your NAC or SIEM security enforcement tools.
- Default passwords should be changed.
- Data encryption should be standardized.
- Bring Your Own Device policies should be determined and enforced for staff.
- Cyber education and training programs should be rolled out.
- Wi-Fi connections should be secured.
- Network traffic should be automatically scanned for unusual behavior on an ongoing basis.
- Deviation thresholds for normal network traffic behavior should be established, and automated alert triggers should be set.
- An incident response and escalation protocol should be clearly defined and rehearsed.
There’s no silver bullet to comprehensive IoMT security and you’ll never quite be able to kick back and relax. Still, there’s a right way to approach the problem and there’s a wrong way. Ignoring it and hoping it’ll go away is the wrong way. A modus operandi that is methodical, data-driven, context-aware, and rooted in a simultaneously granular and panoramic network perspective is the right approach. Take it one step at a time and please please please take it seriously. There’s a lot at stake.