IoT/IoMT cybersecurity in a challenging environment
Increasing connectivity and interoperability between devices and healthcare IT systems also expands security risks, as criminals look to exploit vulnerabilities and find access to important health and personal data. Recent federal legislative efforts to standardize medical device security may be a step in the right direction, but these do little to address legacy devices still in use. Healthcare organizations (HCOs), medical device manufacturers (MDMs), and IT/security managers face the collaborative task of improving system and IoMT (internet of medical things) cybersecurity including updating, replacing, or isolating the devices and systems to minimize risk and limit potential cyberattack damage.
IoT and IoMT explosion
In 2021, 3.2 million IoMT (internet of medical things) devices were put into action globally, according to Juniper Research. The biggest adoption of IoMT devices have been the United States (21%) and China (41%). The market analyst firm estimated 7.4 million such devices will be deployed annually by 2026 — almost 4,000 devices per “smart” hospital.
However, IoMT figures cover only medical devices and software, as well as the technologies and systems that help connect and run them. There is also a skyrocketing number of personal devices, which fall under the category of IoT (internet of things), including smartphones, tablets, computers, smart watches, health trackers and other wearables, as well as the underlying software.
The number of IoT devices worldwide is expected to reach 16.7 million by the end of 2023, according to IoT Analytics.
Connected IoT in “smart” healthcare facilities also includes the building systems and technologies used to manage and monitor security, climate, and lighting, as well as elevators and labs.
Device decisions: Improve security, minimize risks
As in other areas of cybersecurity, devices need to keep up with the latest techniques and capabilities of hackers. A large part of this requirement is installing regular security updates and patches from device manufacturers. For newer devices, patches and updates may be released consistently and in a timely manner, but older, legacy devices might have inconsistent or no patches, and may often have available patches that have not been installed.
In September 2022, the FBI reported identifying increased vulnerabilities posed by unpatched medical devices that are running on outdated software and lack sufficient security features. The agency warned medical devices such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps are susceptible to cyberattacks. There are at least six vulnerabilities per medical device, it noted, with 40% of devices at end-of-life stages having little or no security patches or updates.
A widely reported 2022 analysis of scan data revealed 75% of hospital infusion pumps in production still had critical vulnerabilities that were more than 5 years old.
The Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act) gave FDA authority over medical device cybersecurity. However, the new requirements under the law are not retroactive — only device applications starting 90 days after submitted March 29, 2023, and after are required to comply — so legacy medical devices are not subject to the law and subsequent FDA requirements.
To address legacy device vulnerabilities, providers will need to work closely with MDM and clinical engineering maintenance vendors to establish sufficient cybersecurity requirements and negotiate agreements that provide some of the improved cyber posture the PATCH Act seeks moving forward.
To better manage security vulnerabilities over time, healthcare technology leaders, including clinical and security teams, are wise to reach out to MDMs before scheduled device maintenance windows to request patches and updates.
As the PATCH Act is still quite new, many stakeholders, including MDMs, misunderstand responsibilities and requirements for devices that are both covered under the PATCH act, and legacy medical devices. There are many resources available to outline and clarify key points of the law and FDA requirements, and offer compliance suggestions:
- Health Sector Coordinating Council (HSCC) guide “Health Industry Cybersecurity Managing Legacy Technology Security (HIC-MaLTS) addresses legacy device challenges, bringing together years of work by stakeholders including MDMs, HCOs, government representatives, health IT companies, independent service organizations, and security consultancies.
- FDA Fact Sheet on its role in medical device cybersecurity highlights and dispels common myths, such as “cybersecurity for medical devices is optional,” and “MDMs can’t update medical devices for cybersecurity.”
- FDA’s Cybersecurity page, which offers news, tips, and guidance on cybersecurity for MDMs and other stakeholders.
HCOs face tough decisions on what to do with current security-challenged medical devices. Many legacy devices and technologies have narrow design parameters and lack the hardware and storage capabilities for newer upgrades, patches, and operating systems. Remediating these devices may be limited by contract and service flexibility and availability, as well as cost margins. Some MDMs may prefer to sell HCOs new, expensive devices and technologies even if the current equipment is functioning properly and still has many years left on an amortization schedule.
When neither updating nor replacing is the right answer, a provider can isolate the problematic device or system via network segmentation, using hardware firewalls, VLANs, or Software defined perimeter (SDP). This approach reduces the risk and severity of cyberattack. Segmentation can be either macro — devices on the isolated segment can communicate with each other but not with those outside of the segment — or micro, where each device has its own security zone.
At a time when many hospitals and health systems are dealing with tightening budgets, decisions need to be made on how to inventory and assess the cybersecurity status and potential of each connected device and system, and what the remedy is when these technologies are behind on patches and updates. The new law and requirements under the PATCH Act provide some guidance going forward, and there are many resources and experts available to help HCOs and partners bring existing, including legacy, devices into a more secure cybersecurity posture that can better protect against the evolving cyberthreats exploding across healthcare. A coordinated program with clinical engineering, facilities, and IT/security teams, and MDMs may be the best way for HCOs to identify and manage risks from IoT/IoMT devices and systems and stay on top of the latest cybersecurity developments.
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security for healthcare organizations with the world’s most advanced cloud-native platform for protecting critical areas of risk — endpoints and cloud workloads, identity and data.
Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.
Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.
CrowdStrike: We stop breaches.