Even though the healthcare industry has been slower to adopt Internet of Things technologies than other industries, the Internet of Medical Things (IoMT) is destined to transform how we keep people safe and healthy, especially as the demand for lowering healthcare costs increases.
The Internet of Medical Things refers to the connected system of medical devices and applications that collect data that is then provided to healthcare IT systems through online computer networks. IoMT can not only help monitor, inform and notify care-givers but also provide healthcare providers with actual data to identify issues before they become critical or to allow for earlier invention.
A report by Allied Market Research predicts that the IoT healthcare market will reach $136.8 billion worldwide by 2021. Today, there are 3.7 million medical devices in use that are connected to and monitor various parts of the body to inform healthcare decisions.
IoMT Cybersecurity Challenges
Most IoMT devices were not designed with security in mind, which makes them especially vulnerable to compromise. In fact, one study suggested that there is an average of 164 cyber threats detected per 1,000 connected host devices. Connected medical devices – from Wi-Fi enabled infusion pumps to smart MRI machines – increase the attack surface of devices sharing information and create security concerns including privacy risks and potential violation of privacy regulations.
The contamination and loss of data and the potential to seize control of a device should be top concerns for healthcare IT teams. An exploited vulnerability leading to the hijacking or ransoming of a device could not only result in clinical risk but even the loss of life.
The recent Vectra 2019 Spotlight Report on Healthcare indicates that the proliferation of healthcare internet-of-things (IoT) devices, along with lack of network segmentation, insufficient access controls and reliance on legacy systems, has created an increasing attack surface that can be exploited by cyber criminals determined to steal personally identifiable information (PII) and protected health information (PHI), in addition to disrupting healthcare delivery processes.
As the number of connected devices increases, we need to determine how to handle the data load securely. Protecting patient medical, insurance and personal information must be a top priority. IoMT devices have several inherent risk factors. For instance, IoMT devices have largely unquestioned access to much of the data stored on the network, making them an ideal target for cybercriminals. If you couple this with the fact that many IoMT devices are notoriously insecure, then the chances of a data breach resulting from IoMT compromise increases dramatically.
In addition, most hospitals don’t have network segmentation of IoT from other devices. The result is that any device that is introduced locally can end up having a global organizational impact especially due to the lateral movement of patient medical and sensitive information across devices and departments. The security problem becomes more threatening because of the procurement procedures of medical devices.
Security isn’t often included in the device acquisition or implementation phases, and it is usually an add-on feature. The lack of embedded security features increases the risk of human error, which can be anything from poor system configuration to the absence of audit logs, unauthorized access control or even a lack of processes surrounding the device’s use.
However, to best protect that data, healthcare practitioners need a better understanding of the types of cyber threats they are dealing with. Aside from the financial consequences of cyber crime, these are cases in which human lives are at immediate risk if a device’s function is interrupted. Much of the onus is on medical device manufacturers themselves.
IoMT Devices Vulnerability Assessment
In view of this grave situation, the U.S. Food and Drug Administration recently released industry guidelines for securing medical devices. The primary concern of these guidelines is safety, which can be jeopardized by errors and inadequate interoperability. Therefore, the guidelines introduce a set of appropriate functional, performance and interface requirements for devices with interactions to data exchange systems.
FDA recognizes medical device cybersecurity as a top priority and as a shared responsibility among stakeholders including health care facilities, patients, providers and manufacturers of medical devices. Effective cybersecurity risk management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
An effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.
In accordance with the FDA guidelines for the premarket management of cybersecurity vulnerabilities in IoMT, the pre-market vulnerability assessment should focus primarily on whether the manufacturer of the product has assessed the potential for cybersecurity vulnerability and risk and how they have chosen to mitigate those risks.
The goals of the FDA recommendations are to employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections. They are also meant to take a holistic approach to device cybersecurity by assessing risks and mitigations throughout the product’s lifecycle so as to promote the development of trustworthy devices to help ensure the continued safety and effectiveness of the devices.
The device manufacturers also should consider putting controls in place that will help mitigate those risks.
The extent to which security controls are needed will depend on the device’s intended use, the presence and functionality of its electronic data interfaces; its intended environment of use; the type of cybersecurity vulnerabilities present; the exploitability of the vulnerability, either intentionally or unintentionally; and the probable risk of patient harm due to a cybersecurity breach.
Since cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls. Therefore, management of postmarket vulnerabilities should be of utmost concern.
In accordance with FDA’s guidance for the postmarket cybersecurity of IoMT, cybersecurity risk management programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accesse, or transferred from a medical device to an external recipient and which may result in patient harm.
During postmarket vulnerability assessment, a manufacturer should establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls. Such a vulnerability scanning process should focus on assessing the risk of patient harm by considering the exploitability of the cybersecurity vulnerability and the severity of patient harm if the vulnerability were to be exploited.
Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health. Tripwire supports medical device companies and other healthcare organizations with embedded software devices by providing rigorous security assessments.
Tripwire’s device testing approach includes identifying security risks and vulnerabilities that may exist in the physical construction of the device and its network interfaces. The goal is to identify potential control exposures through security configuration analysis and vulnerability testing of the platform and the operating environment.
To learn more, download this solution brief on medical device cybersecurity.