CHIME Fall Forum 2019: Securing IoMT Devices Requires Collaboration and a Culture Shift
An increasingly large pool of Internet of Medical Things devices has clinicians and developers praising the power to ease workflows and transform care.
But on the IT side, caution — and even worry — can temper the optimism.
That’s because these tools, which operate on hospital networks, are vulnerable to the same cybersecurity threats as legacy connected technologies. Often, though, they’re less protected and tougher to monitor for unusual activity, thus heightening the risk of exposing highly valuable patient data.
“It makes my head hurt how many things are now connected out there that we really need to worry about,” said Charles Christian, CTO for Franciscan Health, said on Monday as part of a panel at the CHIME19 Fall CIO Forum in Phoenix.
Eighty-seven percent of healthcare organizations will use IoT devices in some form this year, a 2018 Aruba Networks report found. Among those already doing so, 89 percent last year reported suffering a device-related security breach.
And consequences can be delayed: “The typical hacker sits inside a network for 254 days before they make themselves known,” Christian said.
Fortunately, he and other speakers cited a continued industry shift toward a layered, collaborative defense — one that builds upon existing cybersecurity best practices while keeping the unique behaviors and functions of IoMT devices in mind.
Here are 5 takeaways from their conversation:
READ MORE: Healthcare endpoint security gets smart to match fiercer threats.
Don’t Just Plug and Play
A thorough network and cybersecurity assessment should precede any deployment of IoMT tools, panelists said. Advance planning can help identify bandwidth shortages, threat vulnerabilities and anticipation of security updates — all steps to a safe, seamless operation.
Also crucial is knowing how each of the devices works and what steps must be taken to protect them. Some tools come with few defenses; working with medical device manufacturers and taking internal measures before a new product enters an ecosystem can avoid trouble later.
Embrace Cross-Departmental Collaboration
IoMT protection isn’t just the job of IT teams. Representation from biomedical and clinical engineers, among other departments, is necessary to develop (and refine) robust safety measures while maintaining a shared responsibility of keeping watch for signs of trouble.
Panelists spoke of friendly collaboration among executive leadership, creating hybrid staff positions in cybersecurity and loaning team members across departments. Regardless of the approach, Christian said, “we’re not worried about turf — it’s about protecting the organization.”
READ MORE: Preparing for a cyberattack can be costly, but failure to do so can be devastating.
Keep Networks Segmented
Technological shifts have given the practice new applications and urgency. “For the longest time, we did network segmentation based on traffic,” said Wes Wright, CTO at Imprivata, a healthcare IT security company. Now, segmentation helps limit attack vectors.
“At the most primitive level, get biomedical devices on their own network — and put a firewall in between. Ideally, whitelist traffic to those devices and only allow things through you know about in advance,” said Mick Murphy, vice president and CTO at WellSpan Health.
Maintain Device Inventory and Security Hygiene
Although some IoMT devices may see frequent use, others might sit dormant or in storage for long periods. So when those tools are needed, the risks of outdated software or an absent security patch might unknowingly be present — issues a robust inventory plan can remediate.
“You need governance behind anything that’s going to have an IP address,” Christian said. “Know where a device is, its associated uses, its operating system, and whether can it be patched. It’s not easy but it is doable.” To that end, strong network monitoring practices are key.
DISCOVER: Learn why basic security compliance isn’t enough for healthcare organizations.
Hold Vendors Accountable
The relationship with a device vendor shouldn’t end after a sale. Panelists agreed that ongoing dialogue is crucial, which is why at South Shore Health in Weymouth, Mass., a flag is triggered before any new purchase order is submitted: Are the vendor’s security practices already on file?
“You have to do that interrogation and make sure the vendor will cooperate and be willing to patch and work with you throughout the lifespan of the equipment,” said Cara Babachicos, the organization’s senior vice president and CIO.
Follow us on Twitter @HealthTechMag, or the official CHIME Twitter account, @CIOCHIME, and join the conversation using the hashtag #CHIME19.