Jul 07 2021

5 Steps to Secure Internet of Medical Things Devices

A recent report identified vulnerabilities in Internet of Things firmware. Healthcare systems should take note to secure the many devices on their networks.

Internet of Medical Things (IoMT) devices have been a game changer for the healthcare industry, driving down costs and helping improve patient care and comfort. But their widespread use in hospitals can make them a huge target for cybercriminals, exposing vulnerabilities and posing security challenges.

Healthcare organizations should consider several important steps to strengthen and enforce security for the many devices that keep their operations moving.

Ubiquity and Vulnerability in IoMT Devices

The average hospital room has 15 to 20 connected medical devices. Some IoMT devices include MRI machines, IV pumps, patient monitors, ventilators, therapeutic lasers, smart beds and remote intensive care unit telemetry. Other devices figure prominently in remote wellness and chronic disease monitoring, such as infusion and insulin pumps.

These devices can come under attack as soon as they are placed into service. According to a Netscout report, they can be attacked within five minutes of being connected to the internet. The level of attack is staggering: 63 percent of healthcare organizations in 2019 said they had experienced a security incident related to unmanaged and IoT devices in the past two years.

IoMT devices have unique vulnerabilities. Some use outdated operating systems with known vulnerabilities. As many as 83 percent of imaging devices, such as MRI and mammography machines, run unsupported operating systems, leaving them open to attack.

Firmware also plays a role. A recent report by Forescout identified vulnerabilities in IoT firmware called the NAME:WRECK bug, which could allow an attacker to take a device offline or gain control over it remotely.

Though they’re widely used, IoMT devices are difficult to secure for a number of reasons. For the IT team, they may represent a blind spot: How many devices are there? Where are they? What do they do? What do normal communications look like? Because many use wireless communication protocols such as Wi-Fi, Bluetooth or Zigbee, these devices may exist outside the scope of traditional network security management tools.

Patching can be challenging. Many IoMT devices rely on the manufacturer to implement patches or require extreme manual effort if they use embedded real-time operating systems. And, of course, many devices simply can’t be taken down for patching. Activities must be planned to avoid increasing patient risk.

READ MORE: Find out the possibilities and pitfalls of wearable tech in healthcare.

5 Steps Toward IoMT Device Security

Securing IoMT devices calls for some traditional steps and others that are specific to the healthcare industry and its devices. Taking into consideration the unique aspects of IoMT devices, here are five recommendations for safeguarding them:

  1. Take an inventory of devices running on the network. IT teams should know where they are, the operating systems they are running and their network statuses. Medical device discovery tools can take an inventory and perform a security assessment, finding devices that are potentially vulnerable to cybersecurity attacks. Inventory should include the hardware, software and firmware levels, and the patch management process for each, noting those that are highly vulnerable. Include IoMT devices in regular penetration testing.
  2. Strengthen device passwords. All too often, healthcare organizations bring IoMT devices online without changing factory-default usernames and passwords, with deadly consequences. The Mirai botnet launched the biggest distributed denial of service attack ever seen, simply by connecting to IoT devices via default passwords. Healthcare IT teams should require strong passwords or passphrases and consider using two-factor authentication for the most critical devices. Organizations should allow devices to see and access only what they need to do their jobs.
  3. Enforce segmentation controls and increased network hygiene. This involves putting parts of the network into different zones or subnetworks, each of which can have customized security policies based on the devices and their users. For example, to mitigate NAME:WRECK, security experts recommend limiting the network exposure of critical vulnerable devices by segmenting them from other areas of the network. Some organizations segment their IoT networks from their IT networks altogether.
  4. Stay on top of known and released patches, especially for highly vulnerable devices. Organizations should prioritize and schedule the application of patches to maximize the effect while reducing the impact. Where they can’t patch, organizations should isolate devices from the network. Check for nonsecure or outdated software and firmware. If updates are available, make sure the patching processes are secure.
  5. Actively monitor network ­traffic for malicious packets. Scans should look for those trying to exploit vulnerabilities as well as those that could affect DNS and other network services. Intrusion detection/prevention systems can play a role here, as can anti-malware systems and firewalls. Where possible, use machine learning–based systems to establish a baseline of normal behavior and stop anomalous behavior that could indicate an attack.

DISCOVER: 3 Reasons Wearables Bring New Complications for HIPAA Compliance.

Stay on Top of IoMT Device Security

IoMT devices represent an attractive target. Medical records contain information that can be used for identity theft, making them more valuable to cybercriminals than other types of records. In fact, the resale price for a healthcare record is 50 times that of the next-closest record type: stolen credit cards.

IoMT devices have become ubiquitous in healthcare organizations, with impressive results, but IT professionals must prioritize their security. Basic network hygiene can go a long way toward reducing the risk they bring, as can patching, network isolation and vigilant monitoring of network traffic. IoMT devices no longer have to suffer from security issues if organizations rein in the risks today.

Dan Page/Theispot