Jul 21 2022

Securing the Internet of Medical Things

The “black box” nature of most connected gear in a healthcare setting has made securing IoMT devices against threats increasingly difficult.

What’s the Best Network Architecture for IoMT?

To secure Internet of Medical Things devices, the basic requirement is isolation: separating each device as much as possible from others. Ideally, each device would be on a separate microsegment with some type of firewall controlling all access in and out.

For larger hospitals, or smaller IT teams, this can be unrealistically complicated. Intermediate options, such as placing devices into firewalled network segments based on device vendor or security and risk profile, are more manageable. 

In high-density areas such as nurse’s stations or patient rooms, IT teams can deploy smart switches to the very edge of the network so that port-based virtual LANs can be used to segment devices. However, requiring a particular device to be plugged into a particular port will always be an issue if users other than IT staff have any opportunity to touch the equipment. In such cases, more sophisticated systems such as switch-enforced network access control or media access control address prefix mapping will deliver better security while compensating for the reality of a clinical setting.

Click the banner below for access to exclusive HealthTech content and a customized experience.

How Do I Handle Wi-Fi Security with IoMT?

IT teams can’t have a single IoT Wi-Fi service set identifier. Typically, multiple Wi-Fi SSIDs are needed to accommodate different device types and different risk or security profiles. Because each device may have different capabilities for wireless security, such as WPA2 personal or WPA3 enterprise, the requirement to update each device periodically is a huge burden.  

IT teams should insist on complete control and thorough documentation for configuring Wi-Fi on every type of IoMT device and must then maintain these wireless configurations through password and certificate changes. 

What’s the Best Approach to Mitigating Threats to IoMT?

IoMT devices can’t be trusted like other managed servers or clients, even if they are running on some version of Windows or Linux. 

IT teams should assume that IoMT devices have weak security and are easy targets for compromise and treat each device accordingly — unless vendors are able to prove otherwise, and a track record shows that additional trust is warranted. 

DISCOVER: How the future of smart hospital strategy brings care to the home.

What Firewall Configuration Is Appropriate for IoMT Devices?

IoMT devices should start with a “block out, block in” security policy on firewalls. IT teams should then add the minimum set of tightly defined rules to allow traffic required for device operation. 

Next, IT teams should carefully monitor firewall logs to see if outbound traffic is being blocked, which means a firewall or device is misconfigured. These blocks should be investigated, documented and resolved. Finally, each outbound or inbound rule should be monitored to verify that it is being used. Any rules that never see traffic should be disabled and reverified.

How Do You Reconcile Regulatory Issues with Patching Requirements?

Tightly regulated industries such as healthcare are often caught in the middle between open-source security patches and a “black box” IoMT appliance for which software patches may lag or be completely unavailable for years after deployment. Using strict firewall policies along with firewall unified threat management services (such as an intrusion prevention system to block suspicious traffic) will act as “virtual patching” that can bridge the gap and mitigate security threats.

UP NEXT: 5 steps to secure Internet of Medical Things devices.

Getty Images: Elena Chelysheva (Bees), Macrovector (isometric icons)

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.