Security

What Makes IoMT Devices So Difficult to Secure?

Critical to mobility and long-distance care, the devices pose unique security concerns that require special vigilance.

Andrew is the web editor for HealthTech magazine. His experience includes marketing for a major IT services company and digital strategy for WashingtonExec.

It wasn’t long ago when healthcare technology — and protecting it from harm — was relatively straightforward. In most cases, landlines and desktops reigned supreme; networks existed inside an organization’s own walls.

Times have changed: Technological advancements and a growing number of use cases for mobility are easing clinical workflows and transforming care. One area of development, the Internet of Medical Things, is key to that evolution.

IoMT devices are poised to save the healthcare industry $300 billion annually, according to Goldman Sachs, primarily through remote patient monitoring and improved medication adherence that can curb readmissions and positively affect reimbursements.

With progress, however, comes new challenges. IoMT devices can be more difficult to monitor and protect than other wireless tools — and many find their way onto a given network without an IT department’s blessing. More than 60 percent of all medical devices are exposed to some degree of risk, according to a recent report from healthcare cybersecurity company CyberMDX.

Deloitte predicts the market for these connected medical devices will grow from $14.9 billion in 2017 to $52.2 billion in 2022. It’s crucial, then, for healthcare systems to understand the vulnerabilities of IoMT tools and how to protect them — both today and in the future.

Exactly How Vulnerable Are IoMT Devices?

Healthcare has become the most targeted industry for cybercriminals, the American Journal of Managed Care finds, with as many as one-third of all U.S. patient data breaches occurring in hospitals.

The CyberMDX report notes that the U.S. is home to some 120 million connected medical devices and clinical assets — all of which are vulnerable to attack.

One of the latest security issues to impact medical devices — BlueKeep — is yet another reminder. A weakness in Microsoft’s Remote Desktop Protocol service, BlueKeep is feared by security teams because it could be deployed as a worm in a similar manner to EternalBlue, which helped power the WannaCry attack that affected tens of thousands of medical tools in England and Scotland.

Large or small, such breaches happen for a reason: “There’s a low threshold of entry on those devices,” says Charles Christian, vice president of technology for Franciscan Health, which operates 14 hospitals in Illinois and Indiana. “Once you’re in, you’re in, and those devices are able to be used as tools in a denial of service attack.”

“WannaCry didn’t just impact computers, it impacted medical devices,” Christopher Frenz, associate vice president of information security for Interfaith Medical Center in Brooklyn, N.Y., said last week at the CDW Protect SummIT in San Antonio. “And losing a medical device is a problem.”

The problem is so great that at least 10 U.S. hospitals reported they had to turn away patients last year after being compromised by ransomware.

Despite repeat warnings of the potential for this type of attack, many Windows systems remain at risk. CyberMDX’s 2020 Vision report states that 22 percent of all Windows devices found in a typical hospital are susceptible to BlueKeep, primarily due to a lack of relevant patching. Among all connected medical devices running on Windows, that figure more than doubles.

INSIDER EXCLUSIVE: Watch a video about new Zebra Technologies tools designed to improve care delivery.

The Human Risk Associated with IoMT Devices

Internal misconduct accounts for 56 percent of all incidents in healthcare, making it the only industry where cyberharm is more often inflicted by insiders, a Verizon report finds. While the vast majority of those threats are unintentional, they still pose a danger.

IoMT devices have one inherent weakness that could be addressed to reduce these incidents: passwords.

“We’ve seen there was at least a couple of massive denial of services attacks that were done by using IP-based security cameras that had a default password in it, that couldn’t be either easily changed or changed at all,” says Christian.

Russell Jones, a partner with Deloitte’s Cyber Risk Services, considers the use of hard-coded credentials and passwords as the No. 1 vulnerability associated with IoMT.

“From the kinds of attacks that we’ve seen out in the wild, hard-coded credentials or hard-coded passwords that are tied to a privileged account with permissions to do anything in a system are a huge vulnerability,” Jones told HealthTech in an interview.

The value of eliminating passwords for security purposes was echoed by other security professionals this month at CDW’s Protect SummIT.

“I do want to see passwords eliminated,” Theresa Payton, CEO of Fortalice Solutions and former White House CIO, said in her conference keynote. “My worry about our push to no passwords, however, is that it’s just replaced with something else.”

Why Organizations Struggle to Protect Devices Effectively

The shift is easier said than done. Eighty percent of device makers and healthcare delivery organizations report that medical devices are “very difficult” to secure, the CyberMDX Clinical Connectivity report notes.

Lack of knowledge or training on secure coding practices and pressures on development teams to meet product deadlines are top pain points. Intended longevity adds further complications.

“A lot of the healthcare devices that we consider to be Internet of Medical Things, those devices are built to last 10, 15, 20 years,” says Jones. “There is no real fix, except to upgrade to the next generation of device.”

That’s often not economically feasible, he adds. Most organizations are trying to juggle and prioritize many different priorities — deciding between security or a new MRI machine, for instance — which can make devices on a network easy targets for outside actors.

“Typically, the organizations that own those devices have had them for years because they have a long service life,” says Christian. “They’re not able to do the routine security patching because they're considered a medical device. Therefore, if you go patch it beyond what the vendor says you can, then you’re going to void your warranty.”

Those barriers could explain why almost 50 percent of endpoints on hospital networks are unmanaged devices, says CyberMDX. One-third of respondents in the company’s Clinical Connectivity report affirm their organization has no program in place to regularly profile or monitor connected devices.

How to Actively Protect Your IoMT Devices

As clinical staff place more of a demand on IoMT devices — and the tools become an integral part of care — security teams must find a way to manage them securely and effectively.

Here are some steps you can take to protect your IoMT devices:

Start with the basics: The first step is changing your device passwords and gaining visibility into what’s on your network. “You can't secure something if you don't know it exists,” says Jones. For the devices that you know already exist and can’t be patched, start by addressing their vulnerabilities and putting better detection controls around them. Enhance the level of logging and monitoring of network traffic and other devices that talk to that device.
Introduce network segmentation to prevent unauthorized access: Allowing devices to talk across your network without limits poses a major liability, essentially giving hackers a highway to data anywhere on the network. CyberMDX reports that 99 percent of lateral device-to-device communications are functionally unnecessary, so consider how you can segment your network to mitigate risk. “One of the things that we’ve done is what we call a clinical network,” says Christian. “All that equipment is segmented out to that network segment. For those that we know the OS is at risk, we put them behind unified threat management, which basically is a mini firewall that only allows certain traffic.”
Update any existing security tools and processes: Nothing should be connected to your network without first doing a cybersecurity risk assessment. “Just because somebody tells you, ‘Oh, don't worry, it's not going to connect to the network,’ doesn't mean that it's not going to connect to the network,” says Christian. “You have to be cautious. Sometimes people in the medical field have a tendency to trust first, and then be cynical after something happens. I think that there's got to be a healthy balance between the two. That's why it takes more than one set of eyeballs to look at these things and make a decision.”

stockvisual/Getty Images