Zero Trust Stands as a Secure Foundation for Healthcare’s IoMT Devices

Why Legacy Devices Persist in Healthcare

Beyond the vulnerabilities inherent to all IoT technologies, connected medical devices create new risks, not only for patients who rely on them but also for the systems they connect to when transmitting sensitive patient data. Frequently, unpatched software and firmware only heighten the risk.

“Historically, medical device manufacturers were reluctant to upgrade system software because doing so triggered expensive safety and performance review clearance processes,” says Lynne Dunbrack, IDC group vice president for public sector.

The FDA, which approves medical devices, echoes those concerns: Outdated devices “can pose significant risks to the healthcare sector,” says Jessica Wilkerson, senior cyber policy adviser and medical device cybersecurity team lead for the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “Legacy devices were legally put on the market and may still be broadly in use. However, cybersecurity controls that may have been effective at their point of purchase may no longer be adequate now.”

The Government Accountability Office has asked the FDA to update an agreement with the Cybersecurity and Infrastructure Security Agency to ensure more effective coordination on cybersecurity and the security of medical devices.

DISCOVER: Implement zero trust without disrupting clinical workflows.

Proactive Medical Device Security Starts with Zero Trust

“Each connected device offers a different pathway, or potential pathway, for malicious actors to either access patient data or disrupt healthcare operations,” Pearson says.

The sheer scale of IoMT device use adds additional layers of complexity: “A typical 500-bed hospital has more than 100,000 connected medical devices to secure and manage,” Dunbrack says. “Haphazard security patching, lack of system hardening, hard-coded or default passwords and embedded operating systems that are no longer supported” only compound the problem if standard, common-sense security practices are not followed.

Securing the devices is no small challenge, particularly given the variety of software individual devices might run, not to mention hardware limitations and communication protocols, Pearson says. That is why VA takes a proactive approach to medical device security, she says, beginning with a zero-trust framework.

“We’ve moved beyond protecting the perimeter to employ multiple tools and technologies across our network,” Pearson says, including a network access control solution to manage endpoints as well as user and device access to network resources.

“This solution helps with fingerprinting for IoT devices. It helps us identify and gain visibility into what devices are on our network and what resources they can access, and allows us to proactively limit network traffic for unauthorized and unknown devices,” she says.

VA also uses a data protection strategy that relies on encryption at rest and in transit, she adds. That data, in turn, supports other defensive tools.

“We look at integrating IoT device data with vulnerability assessments, endpoint security and device compliance, as well as with organizational policies” to not only identify vulnerabilities but also understand what can be detected, Pearson says.

Evolving Security by Mixing Technologies

Large healthcare organizations typically turn a range of technologies available to secure connected medical devices. For example, Palo Alto Networks Medical IoT Security is specifically designed to protect critical connected medical devices, while integration with Palo Alto Networks’ Next-Generation Firewalls and Prisma Access offers highly granular policy enforcement. Cisco offers several solutions that can secure medical devices by identifying all devices entering a network and then segmenting the network to protect those devices — and medical records — from threats. Cisco’s Medical Network Access Control helps hospitals detect threats through behavior monitoring.

VA looks to a broad mix of technologies and evolving approaches to security while also relying on tried-and-true protections such as next-generation firewalls and cloud access security brokers, “things that help align to zero trust and more granular access controls,” Pearson says. “When we provide that secure access to specific applications, we leverage that at a granular level for device authentication and authorization. That allows us to minimize that blast radius for our fragile devices.”

EXPLORE: Zero trust supports cyber resilience for healthcare organizations.

Threat Modeling Helps Pinpoint Security Objectives

The FDA encourages an all-hands approach to medical device security.

“The healthcare environment is complex, and manufacturers, hospitals and facilities must work together to manage cybersecurity risks,” Wilkerson says.

Manufacturers should complete a threat model that identifies security objectives, risks and vulnerabilities across the medical device system before they define countermeasures to prevent, mitigate, monitor or respond to the effects of threats to the medical device system, she says.

The FDA has taken regulatory steps to clarify the role of device manufacturers. In spring 2024, the agency proposed updates to its guidance to medical device makers, in part to provide the FDA’s recommendations and interpretations of recent, explicit cybersecurity regulatory authority that the agency received. 

Meanwhile, healthcare providers can take their own steps to build a more secure IoT environment, starting by exploring available commercial solutions, Gartner Senior Research Director Ruggero Contu says. “There is a well-established marketplace of medical device security solutions that are specifically geared toward improving that visibility through asset discovery and monitoring healthcare networks to detect those devices,” he says.

Based on the asset data discovered, health systems can assess all risks before determining the best way to secure them; for instance, through segregation or configuration improvements, Contu says.

At VA, early intervention has allowed the agency to ensure all of the devices entering its ecosystem align with its secure-by-design approach, Pearson says. The agency has looked at ways to modify its procurement and contract services language to require assurance from providers that their products are secure.

“Security gets a little bit easier if you put all those requirements up front and make sure you understand exactly what you’re receiving,” she says. “To be able to respond to incidents, you need to understand exactly how your data is being protected, what the capabilities are, and how it’s limited.”

“Security always costs more if you try to put it at the end of a process,” she adds.

Her advice to other agencies and healthcare organizations? Work to drive stakeholder buy-in across the care delivery system.

“A lot of times, people don’t understand why security has to be in place,” she says. “We publish all of our objectives and key results to the teams, and meet regularly to discuss progress and challenges against those OKRs. We lay out a plan, and we monitor it closely, tracking how we are trending in areas that we’ve deemed critical.”

With everyone in the loop, she says, “we’ve been able to see great progress in understanding and implementing security requirements to achieve security outcomes.”