What Is Internet of Medical Things (IoMT) Security?

IoT is viewed as a business enabler in most industries, but medical IoT plays a different role in healthcare. IoMT use cases include:

• Remote patient monitoring
• Hospital asset tracking
• Patient and staff tracking
• Smart hospital solutions
• Remote care delivery

IoMT Security Challenges

One of the main drawbacks of IoT in healthcare is weak security. Most IoMT devices were not designed with security in mind, which makes them especially vulnerable to compromise. IoMT demands better security because, unlike other industries, a security breach in a healthcare network can quite literally become a matter of losing lives.

Some of the key security challenges in healthcare related to connected medical devices include:

• Vulnerabilities
• Data privacy
• Malware and ransomware attacks
• Interoperability
• Legacy systems

IoMT Security Risks

Unit 42 researchers at Palo Alto Networks analyzed crowdsourced data from security assessments of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks. This topic is of critical concern for providers and patients because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.

The published findings show an alarming 75% of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of 40 known cybersecurity vulnerabilities. Alerts showed they had one or more of 70 additional types of known security shortcomings for IoT devices.

Clearly, healthcare is a prime target for attackers. This heightens the concern around connected medical devices, because any exploited vulnerability enables cybercriminals to take malicious actions. Attacks on connected medical devices can pose significant risks healthcare organizations and their patients, including:

• Patient safety
• Data breaches
• Ransomware
• Malware attacks
• Device hijacking
• Regulatory compliance problems

Medical IoT Security Vulnerabilities

There is already a vast array of information about known vulnerabilities and approaches for securing these devices. This is a result of the efforts of medical equipment makers, security researchers, cybersecurity vendors and regulators who have spent the past decade working to better understand cyber risks associated with use of infusion pumps and other connected medical devices. For example, the U.S. Food and Drug Administration (FDA) announced seven recalls for infusion pumps or their components in 2021, and nine other recalls in 2020.

There are also initiatives led by industry and government aimed at standardizing device information and establishing baseline security criteria for manufacturing these devices. Yet the average infusion pump has a life of eight to 10 years. The widespread use of equipment whose functional life is much longer than the life of its operating system has hampered efforts to improve security.

IoMT Security Best Practices

Security for connected clinical devices needs to be taken seriously, making it vitally important for all healthcare security leaders to implement connected medical device security strategies. A robust medical device security strategy can alleviate healthcare organizations’ worries about cyberattacks and allow them to focus on delivering positive patient care and outcomes.

IoMT security recommendations include:

• Ensure visibility and risk assessment of all connected medical and operational devices using Device-ID policies
• Apply contextual network segmentation and least-privileged access controls
• Continuously monitor device behavior and prevent known and unknown threats
• Simplify operations

Healthcare organizations with vulnerable clinical and nonclinical devices on their network might also consider the IoT or IoMT Security lifecycle approach (figure 2). These are steps that can be taken immediately to reduce exposure to medical device threats.

1. Discover all IoT devices, managed and unmanaged, clinical, and nonclinical.
2. Assess the risk of all devices with continuous monitoring.
3. Define and enforce policies to only allow trusted behavior.
4. Prevent any known IoT attacks.
5. Detect and respond to unknown IoT threats.
6. Implement steps 1-5 in coordination with holistic clinical device management.

Zero Trust: The Key to Effective Connected Medical Device Security

Healthcare organizations face an urgent need to tackle the security challenges related to connected medical devices. The most basic step in securing connected medical devices begins with a Zero Trust security approach (figure 3). By doing this, healthcare IT teams will be empowered to take a prevention-first instead of an alert-only approach to keeping connected medical devices safe.

A Zero Trust security framework requires internal and external users to be continuously authenticated, authorized, and verified for security configuration and posture before being granted or retaining access to applications and data. Users are granted access on a need-to-have basis and keep it only so long as there is a valid need.

Key steps to establishing aZero Trust security posture include:

• Gain complete, accurate visibility of all connected medical devices.
• Understand the risk posture associated with all connected clinical devices.
• Leverage machine learning to accurately profile and segment all connected medical devices and other IoT devices.
• Apply fine-grained least privileged policies to devices based on classifications.

Zero Trust allows healthcare organizations to take advantage of the connected clinical devices’ many benefits without being susceptible to cyberthreats that can compromise patients’ safety and privacy. In addition, it protects them from other attacks such as ransomware.

IoMT Security FAQs