Jul 29, 2019 9:18:02 AM
How to Embrace IoMT Without Risking a Security Breach

The Internet of Medical Things (IoMT) is often heralded as the future of healthcare delivery.

It’s not entirely true.

Fact is, big data and connected devices are already deeply entrenched in thousands of hospitals, labs, and healthcare delivery organizations (HDOs) worldwide. In other words, IoMT isn’t our future - it’s our present reality.


Your doctors and nurses are already using Wi-Fi connected devices to remotely monitor and treat conditions in real time. The IoMT generates rich multitudes of data that can becomes part of the record automatically - giving practitioners the tools to make informed decisions and deliver precise care faster than ever.

And these innovations come at a pivotal time for the healthcare sector, with the population aging and global spending on healthcare set to hit $8.7 trillion by 2020. The expanding IoMT ecosystem will be key to streamlining care and meeting this ever-growing financial pressure.

It’s for this reason that medical device security can no longer be an afterthought. Security needs to be integrated into the design and onboarding of every single new device that comes into your organization.

Defining the Internet of Medical Things (IoMT)

Medical device manufacturers continue to push boundaries in computing and processing capabilities, producing an increasing number of connected devices that generate, collect, analyse and transmit data.

The $41.22 billion IoT healthcare market now includes everything from connected stationary devices like X-rays and MRI scanners, implanted devices like pacemakers, and wearables like insulin pumps and activity trackers.

Then there’s the infrastructure that provides the platforms that enable this vast device ecosystem: including Wi-Fi and Bluetooth connectivity, device management software, network security. These, too, are all crucial components of the Internet of Medical Things.

The IoMT represents a significant shift from a closed system to an open one. Medical devices and electronic health records (EHR) systems that once operated on a secluded hospital Ethernet now live on open networks - allowing for greater access to the data they hold.

But with this always-on connectivity comes gaps in security - gaps that often begin from the moment a new device enters the network.

The challenge onboarding connected medical devices

You don’t have to be a security expert to have heard the concerns surrounding IoT security.

But the challenge is particularly urgent in the healthcare context, where hacked medical devices can turn from helpful to harmful in a heartbeat. Recalls of unsecure insulin pumps and pacemakers serve as a stark reminder of vulnerabilities in can become a matter of life-or-death.

Unfortunately, only 38% of organizations take time to consult their security teams when choosing IoT solutions.

Connected medical devices need to be impeccably secure from day one. Doing it right takes significant cooperation from healthcare providers and MDMs alike.

1. Establish secure onboarding procedures

By now, it’s no secret that not all new medical devices enter your network with an official welcome.

In fact, unknown and unmanaged endpoints can account for over two-thirds of all endpoints on a healthcare organization's network.

Medical device vendors are known to offer clinicians equipment on a trial basis to help get their products into the field. These ‘underground’ devices might not go on the record until months or months later...usually, when an invoice arrives.

When a connected device bypasses your organization’s regular risk assessment process - whether it’s a tiny wearable or a stationary scanner - it introduces even more opportunities for attack.

Committing to IoMT security means that no new devices should come under your roof unless it’s been properly scrutinized.

2. Hold medical device manufacturers accountable for security

Preventing healthcare breaches starts with taking proactive measures at the device design phase.

This places responsibility squarely in the hands of medical device manufacturers.

Strong security by design puts you at a huge advantage when it comes to mitigating potential threats. But many MDMs are totally out of sync when it comes to who’s accountable for device security.

Part of your job is to hold MDMs accountable to manufacturing devices that can be deployed in a safe, secure manner. This means unique digital certificates for every device, signing firmware and software, and incorporating crypto-agility so devices will remain protected beyond the life of their original encryption.

3. Continuously monitor and identify medical device behaviour

Research has shown that the mean time to identify a breach is six months - 190.7 days, to be exact.

That is ample time for an attacker to cause serious damage.

As the IoMT continues to expand, it’s becoming more critical than ever to continuously monitor the devices that call your network home. It starts with taking inventory of all the endpoints attached to your network: what they are, where they’re located, and how they should behave on the network.

This step is critical to monitoring device activity, applying software and firmware patches and purging unused or unidentified devices that could pose a risk.

4. Help your staff understand their role in preserving IoMT security

To medical staff, data security can be a hard sell.

It’s not that clinicians think medical device integrity doesn’t matter. Far from it. The trouble is that patient care comes first - and it doesn’t always feel like security is on their side.

From your point of view, giving each imaging machine a unique password is common sense. So is changing those passwords every 90 days. But to the clinicians who use the machine day in and out, having to remember and continuously update those credentials is burdensome.

When you don’t stay on top of it, it doesn’t take long for a single password to be shared among multiple clinicians and endpoints. Staff training must be a part of your device onboarding process and your ongoing day-to-day practice.

5. Protect your device identities

Digital certificates are increasingly used to protect vulnerable data, devices and software within healthcare delivery organizations. Public Key Infrastructure (PKI) serves as the foundation for a secure IoMT platform in which each and every entity in your organization can securely communicate.

But certificates don’t last forever. Each one will need to be renewed periodically to keep the infrastructure up-to-date. And as the number of IoT medical devices on your network grows, so will the number of identities you’re tasked with managing.

This isn’t a one person job. Automated, cloud-based PKI is a great way to streamline what is otherwise a time-consuming, expensive and error-prone process. Download our white paper to learn more about how to secure the IoMT with an automated, cloud-based PKI:

Download White Paper