May 9, 2019 2:01:37 PM
Securing the IoMT and Next-Gen Connected Healthcare

Only a few years ago, hospitals and clinics began to accelerate their transition from paper-based to electronic health records (EHR).

Fast forward to today and virtually every aspect of patient care has been digitally transformed.

No longer science fiction – wearables, medical devices, implantable devices, advanced robotics, and artificial intelligence (AI) are the building blocks of today’s connected healthcare ecosystem.

Driven by rising costs, aging and growing populations, and a shift from volume to value-based care, healthcare delivery organizations (HDOs) face mounting pressure to move from reactive ‘sick’ care to a more proactive and sustainable ‘health’ care model focused on prevention and early diagnoses.

Current and emerging technologies create opportunities to bridge the gap. Medical device manufacturers (MDMs) are building the next generation of connected medical devices to deliver more cost-effective patient-centric care. At the same time, market disruptors such as Apple and Google are delivering medically-capable devices that offer valuable data for patients and providers.

What’s behind the innovation? The “Internet of Medical Things” (IoMT) – a network-powered fabric of medical devices, applications, health systems and services.

The IoMT brings together physical and digital worlds, generating large volumes of data that drive faster and more accurate diagnoses. Connected medical devices can remotely monitor and modify patient health in real time, and streamline clinical processes and workflows.

U.S. hospitals are already using an average of 10 to 15 connected medical devices per-bed - but we’re just scratching the surface of what IoMT can offer. In 2018, Forbes reported that some 3.7 million connected devices were in use. By 2020, that number is expected to reach 20 to 30 billion.

The IoMT for Hackers

But the IoMT is as much an opportunity for hackers as it is for patients and providers. Network-enabled devices now collect and share protected health information (PHI) across open networks, significantly increasing the number of potential vulnerabilities across the ecosystem.

Nearly 95% of medical and healthcare institutions have reported falling victim to some form of a cyber threat. In an industry already bombarded with constant ransomware and phishing attacks, the emerging IoMT should serve as a wake-up call to leaders in healthcare IT and cybersecurity.

In this new environment, the cost of data breaches is significant and far-reaching. As medical devices connect to unsecured home or public Wi-Fi, as well as cellular networks to transmit data between patient and provider, the risk of data loss increases exponentially.  

As far back as 2015, hackers have leveraged IoT-enabled medical devices to create backdoors into hospital networks. Device hijacking isn’t confined to security labs anymore – it’s real.

A major issue to contend with is that many of the machine-to-machine (M2M) protocols used today are inherently insecure, leaving IoMT devices at the edge of the network vulnerable to attack. Hackers leverage compromised IoMT devices to infiltrate the network and move laterally through critical infrastructure, intercept valuable data, or even compromise operation of the device itself – putting patients directly in harm's way.

A growing number of medical devices have the design flexibility to connect to an HDO’s network – from wearables and implantable to bedside stationary devices. But even legacy devices with high replacement costs, such as MRI and X-ray machines, are being retrofitted with network access to enable remote management.

Even if your organization hasn’t yet adopted an IoT strategy, chances are that you already have a large number of medical devices connected to your infrastructure. By 2020, more than 25% of attacks identified in HDOs will involve IoT. As the healthcare industry increases adoption of networked medical devices, it’s an ideal time to put cybersecurity measures first.

Securing the IoMT: A Shared Responsibility

In 2013, the Food and Drug Administration (FDA) became significantly more vigilant in how they review cybersecurity requirements. Since then, numerous safety communications have been issued to the public, bringing to light the seriousness of vulnerabilities in connected medical devices, and the inevitable reputational damages and operational costs for both MDMs and HDOs alike.

Securing the IoMT and next generation connected healthcare is a shared responsibility between HDOs and MDMs. The FDA is clear about this, stating that HDOs should “evaluate their network security and protect their hospital systems,” while MDMs “are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices.”

Practical First Steps to Securing the IoMT

So what are some practical first steps that HDOs and MDMs can take to secure the IoMT and next generation connected healthcare?

For HDOs

  1. Identify – Unknown and unmanaged endpoints account for at least two-thirds of all endpoints on an organization’s network. Healthcare IT and security teams must discover all devices on the network, including new IoMT devices, and understand what their function is.
  2. Audit – As the IoMT expands, it’s critical to keep track of new devices, ensure that the latest software and firmware patches are applied, and purge unused devices that may still pose a risk to your network.
  3. Communicate – Outside of the CISO, IoT device security risks are often not well understood. Medical staff especially should be aware of the potential risks of network-connected medical devices.

For MDMs

  1. Design – Security must be addressed at the time of manufacture. The FDA's Draft Guidance on Content of Pre-Market Submissions for Management of Cybersecurity in Medical Devices provides a solid framework to understand how
  2. Plan – MDMs must also prepare for the inevitable software or firmware update. The FDA’s Final Guidance on Post-Market Management of Cybersecurity in Medical Devices provides recommendations to ensure safe and secure operations throughout the product lifecycle.
  3. Communicate – MDMs need to communicate to HDOs and their data security provider to understand the types of devices they’re trying to bring to market, what the goal is for those devices, and the potential risks involved – including cybersecurity.

Keyfactor is committed to protecting the next generation of connected healthcare for patients, applications, and medical devices. We empower our customers to develop and implement healthcare technology faster, easier, and more securely than ever before. Download our eBook for direct steps on how to secure the next generation of connected healthcare.

DOWNLOAD EBOOK