Connected devices have changed the world of patient care by providing benefits such as fewer invasive surgeries, the availability of real-time data, medical error reduction, remote monitoring, and cost and time savings compared to the days of paper charting. However, the nature of connected medical devices poses an imminent cybersecurity challenge and privacy risk in healthcare environments because devices comprising the Internet of Medical Things (IoMT) were not always designed with security in mind.
As healthcare delivery organizations become more connected and integrate more devices into their operations, legacy IoMT systems running outdated operating systems, and even newer devices delivered with weak or default passwords, create a higher risk of compromise that can lead to data breaches and patient data exfiltration. Compromised IoMT devices may also act as a pathway for attackers to access and wreak havoc on the rest of the network. And the danger is also present for organizations where other Internet of Things (IoT) and operational technology (OT) operates alongside IoMT devices in the same network without proper segmentation or isolation.
When a device, for example a laptop, is compromised anywhere in the network, the malware in that device looks for unpatched devices running older operating systems (as medical and IoT devices often do) to land on and launch an attack inside an enterprise. Medical health records are valued highly in the digital black market, so medical devices naturally become a target. Locking up a central image server or a CT scanner even for a day creates enough distraction in patient care that hospitals are willing to pay for whatever ransomware demands the hackers make.
Connected device security is a process
Aside from disconnecting all devices and reverting to 19th Century medical practices, there is no way to eliminate cyber risk from today’s healthcare environments (some hospitals train staff to disconnect as many devices as possible when a threat is detected in what is known as a “Code Dark” situation). But sticking our heads in the sand is not an option, either, especially when human lives are at stake. Indeed, a recent Ponemon Institute study has found a correlation between cyberattacks and negative patient outcomes in hospitals that are breached.
Fear of security breaches should not be the only reason for a healthcare organization to embrace the latest and greatest that digital transformation has to offer. Diligent adoption of security tools can help alleviate these fears, first by helping the organization gain visibility of medical devices; and then by helping security teams move toward the ultimate goal of tracking IP addresses of all medical devices and every flow of communication in the organization, monitoring all transactions and ensuring patient safety.
Five stage maturity model
Zero Trust has emerged as a foundational cybersecurity concept that can be applied to improve network, device, and user security. Prior to Zero Trust, organizations focused their efforts on securing the network perimeter and assumed internal assets and internal communications were trusted and protected. But under that type of model, when an attacker breaches an organization's perimeter defenses, they can move freely across networks and cause extensive damage.
With a Zero Trust strategy, security is never assumed; instead, the philosophy is: "never trust, always verify." Instead of one-time access decisions, security is addressed dynamically, always adapting to observed changes in the environment. Developing a strategy for securing devices using a Zero Trust approach is imperative. Even if the task seems daunting, making any progress means improving the organization’s security and moving closer to a Zero Trust security posture. To do so, we recommend a five-step “maturity model” using these best practices:
- Establish an asset inventory: This stage includes creating a complete, accurate, and up-to-date asset inventory by automating discovery and classification for all known, unknown, and new devices, in addition to identifying risks.
- Assess vulnerabilities and risks: This stage encompasses creating a risk-based view of connected devices by combining device vulnerability insights, establishing device behavior baselines, and reviewing external threat intelligence inputs to gain a comprehensive view of the attack surface, guiding security efforts.
- Accelerate incident response: This stage uses connected device insights and the risk-based view from the previous stages, combined with business context, to help teams understand device risk in their unique environment, prioritizing risk mitigation and incident response efforts.
- Proactively protect mission-critical devices: In this stage, teams develop and implement proactive measures such as Zero Trust segmentation to reduce the attack surface ahead of threats, enabling teams to focus on more complex threats.
- Optimize security: At this stage, teams continue to build on the foundation they have created to expand and optimize their security methods with automation, optimized workflows, and integrations, aligning and scaling with organizational demands.
As you can see with step five, achieving connected device security does not have a defined end point, but is a continuous, virtuous cycle of improvement. Many leading healthcare systems have implemented medical device security programs following this model. Each has matured from establishing a comprehensive inventory of connected assets to proactive security engagement, with continuous reevaluation and program optimization to maintain Zero Trust.
Security is a team sport
Developing a medical device security strategy, and implementing the five-stage maturity model successfully, is a “team sport.” Achieving and maintaining a Zero Trust posture requires close collaboration between cybersecurity, IT, and HTM teams rather than the typical “siloed” operations typical of many organizations. This is critical because of the hyperconnected nature of devices and enterprises today.
This collaboration is essential when we consider the example earlier of devices running outdated operating systems that cannot be patched. Clinical engineering teams need to work with their networking and security teams to segment these devices to allow them to remain in operations, but limited to baseline, determinative communications. That means teams must work together to determine what is in their environment and what behaviors are normal.
Medical device security requires collaboration among security, biomedical/HTM, and IT teams, ideally using a connected device security solution that delivers value for all three. This ensures that the organization has a single source of asset inventory truth and context that can be shared across the various teams, rather than trying to reconcile data from multiple siloed tools. A connected device security solution can discover and classify devices, deliver granular insights (make, model, operating system, etc.), and identify vulnerabilities by getting the exact path versions of the OS running on those devices. Such a solution can also enable automated detection of any attempts to exploit device vulnerabilities and provide enforcement of security policies, accelerating threat prevention and mitigation and reducing manual efforts required by security teams.
A successful medical device security program also requires buy-in from healthcare leadership, development of a strategy with clear milestones, and alignment to security frameworks such as NIST and 405(d). Finally, programs and processes need to be implemented to ensure that as new medical devices are purchased, they meet security and device hardening requirements, and are secure throughout their entire lifecycle—onboarding, deployment and end-of-life.
