In this blog post
There has been a deep penetration of technology and IoT tools & devices in the healthcare industry. Wearables and stand-alone medical devices governed by advanced technology to handle patient information have triggered the boom of the Internet of Medical Things or IoMT. The capabilities of IoMT have improved the accuracy of diagnoses, reduced human mistakes, and lowered costs of care. With the increase in the number of connected devices, IoMT has created a network of automated smart devices that efficiently help generate, collect, analyze or transmit health data, both inside healthcare facilities and to remote locations. Thanks to their role in reshaping the industry, a report from Deloitte Center for Health Solutions claims that the Internet of Medical Things (IoMT) is estimated to reach USD 158.1 billion by 2022.
Realizing the potential in the realm of medical IoT, healthcare, and technology companies have started to partner with technology giants to introduce effective IoMT products and services. Leaders in the healthcare industry, including Medtronic and Philips, have been partnering with companies such as Apple, Qualcomm, IBM, and Cisco to create IoMT applications.
As IoMT becomes mainstream, MedTech OEMs and CIOs have expressed concern over medical device security. While the healthcare industry is prone to cyberattacks, the proliferation of IoT devices has increased the vulnerability of patient data to cyber threats. It is also important to note that the number of cyberattacks in the healthcare industry increased sharply during the COVID-19 pandemic. According to the 2021 SonicWall Cyber Threat Report, the number of ransomware attempts against the healthcare industry increased by 123% in 2020!
Reasons behind IoMT vulnerability
Unlike other IT assets, IoMT devices are not fully secure due to the presence of complex communications protocols that are specific to the healthcare industry.
Some of the highly vulnerable medical IoT devices are
- Using non-encrypted networks to transfer data such as blood sugar levels, heart rate, or other vitals from wireless vital monitoring devices to the physicians’ records.
- Implantable cardiac devices such as pacemakers are prone to denial-of-service attacks that pose high risks to patients.
- IoT-controlled infusion and insulin pumps can be disrupted by exploiting the connectivity capabilities of these devices.
The traditional cybersecurity approach is still reactive, leading to severe security lapses in IoMT. This can shut down hospital operations, directly risking patient safety and leading to financial losses. Some of the other reasons why the majority of medical device vulnerabilities go undetected are:
- Insufficient cyber security controls
- Incomplete risk assessment
- Lack of access control policies and compliance for supporting device integration
- Lack of strong in-house research expertise for clinical and medical vulnerabilities
Mitigating cybersecurity risks
Frost & Sullivan notes that security deployments for medical devices and clinical assets can benefit further from the addition of AI-based contextual monitoring solutions. These solutions would detect, prevent, and mitigate risks through a proactive approach with full visibility of the entire medical devices and assets network. Here are some of the suggestions offered as part of the Department of Health and Human Services (HHS) cybersecurity program to mitigate risks associated with IoMT:
- Identify known and potential vulnerabilities across all devices
- Initiate micro-segmentation
- Maintain existing network assets and infrastructure
- Establish manageable and realistic network security parameters
Since many key stakeholders do not have a strong understanding of the cybersecurity risks within their organization, FDA has stepped in to take preventive measures and lay down guidelines that will prepare companies for attacks. The FDA’s pre and post-market management of cybersecurity for medical devices offer manufacturers some clarity on handling various evolving issues in cybersecurity. Also, the FDA and the European Union Agency for Network and Information Security (ENISA) have offered guidance on the implementation and security considerations needed for interoperable medical devices. Recently, IoMT firms have started to enter into strategic partnerships with cybersecurity firms to improve the privacy and protection of patient data. For instance,
- IoMT cyber security company Ordr announced its partnership with Fortinet — a cyber security solutions provider. This partnership will focus on implementing advanced cyber security solutions across IoMT devices on the network.
- To address industry-wide cyber security challenges, Armis®, an agentless device protection network, has partnered with Viakoo®, a pioneer in automated IoT cyber hygiene.
While healthcare regulators acknowledge that cybersecurity threats cannot be completely eliminated, MedTech companies need to adopt a ‘security by design’ approach that includes real-time monitoring, threat mitigation, cyber threat modeling and analysis, and remediation. To build up defenses against outside threats, IT leaders must manage their network of devices by implementing a holistic approach that focuses on three aspects — visibility, monitoring, and segmentation.
- Create network visibility to build strong security defense using Deep Packet Inspection (DPI) technology to evaluate data and weed out any non-compliance to protocols.
- Effectively monitor devices to gain insights that will help detect anomalies and prevent data exfiltration.
- Segment devices to help control the repercussions of cyberattacks on the devices.
The Future of IoT and Cybersecurity
The growth rate of medical IoT is exponential, owing largely to its ability to deliver advanced patient engagement, among other health care services. Nonetheless, there are significant security concerns associated with it. Healthcare IT leaders and CISOs should be aware of their most vulnerable IoT and tackle the situation with a coordinated strategy to detect and respond to cyberattacks on medical devices.
GAVS offers various cybersecurity services such as assessment and advisory services, security operations, digital identity services, security project implementation, DevSecOps, cloud security, and medical device security. For more on these offerings, pl. visit https://www.gavstech.com/service/security-services/.