How to stay ahead of cyber threats to IoMT devices

Healthcare IT executives can take steps today to help organizations minimize medical device risks as they emerge.


Recent years have seen dramatic growth in the use of connected medical devices, collectively called the internet of medical things. From MRIs to heart monitors to insulin pumps, medical devices are increasingly communicating with each other, with networked hospital systems, with electronic medical record operations and with other agents via the internet.

U.S. hospitals are already using an average of 10 to 15 connected medical devices per bed. In total, Forbes reports, some 3.7 million connected devices are in use today. By 2020, there will be 20 billion to 30 billion such devices in use, according to a projection from Frost & Sullivan.

The rapid uptake of these technologies is not surprising: device connectedness has the potential to transform medicine by allowing for better patient and health monitoring. But along with IoMT’s transformative potential comes a host of new cybersecurity risks. By virtue of their connectivity (for example, trusted internal network access), these devices are exposed to the larger IT environment. The FDA has reported that an average of 164 cyber threats are detected per thousand IoMT devices. Vulnerabilities are multiplying as more IoMT devices are being granted authorized-user access to hospital networks.

Yet the specific threats associated with IoMT are often difficult to resolve. Many of the connected medical devices in use today were designed and built 15 to 20 years ago, when information security was not a primary concern. In many cases, the software on these devices cannot be easily patched or updated.

This inflexibility is not altogether surprising as these devices are intimately linked to human lives. Their designers are focused on ensuring the units do not compromise patient safety or impede hospital-network flows and obtaining FDA approval for use. As a result, IoMT device vendors are reluctant to make changes or add security tools to their devices—a lack of monitoring data that makes security holes more likely when these specialized devices are hooked to larger networks.

What are the best ways to manage your IoMT cybersecurity risks? The specific measures we recommend can be organized into four general steps: understand, design, implement and govern.

Understand the existing IoMT environment
  • Consult with biomed and/or clinical engineering departments and review their device inventories for completeness. These teams often have access to useful control tools such as barcodes and software update histories.
  • Triage most business-critical high-risk IoMT devices by identifying the devices that collect protected health information or connect to the hospital network.
  • Assess the security of high-risk IoMT by conducting vulnerability scans, doing physical walkthroughs and determining IoMT security capabilities.
  • Educate yourselves on how data is created, shared, stored, backed up and deleted on IoMT devices.
  • Collect device information from manufacturers by requesting a HIMSS Manufacturer Disclosure Statement for Medical Device Security (MDS2) for each high-risk device. This standardized questionnaire summarizes the security capabilities available on a given IoMT device, how it is connected, what protocols it uses and how it stores and/or deletes data. If an MDS2 is not available for a given device, push the manufacturer to complete one. The forms are freely available online.

Design an IoMT security program
  • Limit the data collected and stored on IoMT devices and anonymize stored information whenever possible.
  • Limit IoMT devices’ access to networks. Consider whitelisting rather than just blocking access or segmenting networks.
  • Assess the IoMT authorization processes—how these devices gain access to your networks and other systems—and examine how they can be made more secure.
  • Develop, or incorporate IoMT into, an “event and incident response” protocol at the organization, and practice how to handle various scenarios. What would be your first steps after a breach is detected? If a device suddenly disappeared from your network—perhaps after being physically disconnected—how would you track it down and recover any data it contained?
  • Reinforce basic cyber hygiene by changing default passwords and enabling port security, and seek to implement technical defenses, such as event auditing, auto-logoff and encryption, wherever available.
  • Set up physical defenses, such as cable locks and barcode tracking. The biomed department may already have these capabilities, which can then be standardized across the IoMT environment.
  • Manage ongoing changes to IoMT devices, such as software patches. Here, the key is developing relationships with manufacturers and vendors. Organizations having these conversations are better positioned to push for new vulnerabilities to be patched as soon as possible. As a fallback, consider installing an independent behavioral anomaly-based network solution, such as Cisco ISE, that can detect software vulnerabilities immediately.

Implement strong technical security measures for the IoMT environment
  • Use internal network segmentation. Consider isolating unpatched medical devices using a VLAN.
  • Use firewalls and intrusion prevention system (IPS).
  • Encrypt data, both in transit and at rest. Implementing encryption may require working with vendors and manufacturers; ideally, you will have been having those conversations already.
  • Require authentication to move data between the IoMT devices themselves.
  • Collect IoMT event data (audit logs) and submit this data for security information and event management.
  • Correlate the IoMT event data to a predictive behavior model to enhance anomaly detection.

Govern IoMT risks in collaboration with business owners
  • Establish a cross-functional team (IT, biomed, security, clinical operations, procurement, finance) that is specifically focused on managing IoMT risks and their business impact.
  • Develop a process for the team to review its assessments of IoMT risks and security capabilities, ensuring that these assessments remain up-to-date.
  • Reassess security vulnerabilities periodically, ideally every quarter, but at least semi-annually.
  • Review vendor/manufacturer security configuration capabilities at least once a year.
  • Include a security review during procurement of IoMT devices. Security requirements must be taken into account when evaluating future purchases. MDS2, discussed above, can be leveraged in communications with vendors and manufacturers.
  • Include a security review when decommissioning IoMT devices to ensure that stored data is properly deleted or destroyed.

IoMT technologies are swiftly moving into the heart of clinical medicine. Managing the associated cybersecurity risks will soon be a core responsibility of medical facility administrators. Measures that can be taken today can help organizations stay ahead of IoMT risks as they emerge.

More for you

Loading data for hdm_tax_topic #better-outcomes...