Healthcare delivery organizations face significant operational risks (at best) and dangerous patient outcomes (at worst) if they fail to sufficiently secure internet-connected devices and equipment across their entire lifecycles. To put some rather eye-opening numbers to it: a recent Ponemon Institute survey revealed that more than 20% of healthcare organizations report increased patient mortality in the aftermath of cyberattacks.[i] The financial costs are also steep, with IBM’s July 2023 report finding the average cost of a healthcare data breach to be almost $10.9 million.[ii]
Yet even as the industry continues to be an especially high-value target for cybercriminals, the delta has remained high between where device security is and where it should be. Part of the challenge is that developing comprehensive Internet of Medical Things (IoMT) security measures requires collaboration among industry stakeholders, from device manufacturers to healthcare delivery organizations to cybersecurity providers. Unfortunately, these stakeholders often fail to align their strategies.
Let’s take a quick look at the roles each of these stakeholders must play in IoMT security, and the measures that healthcare delivery organizations should pursue to protect their patients and their businesses while working toward optimal collaboration.
IoMT Device Manufacturers
Manufacturers of networked medical devices must consider healthcare delivery organizations’ security requirements and compliance standards throughout their product design and testing. Then, they should offer ongoing support to secure against vulnerabilities and risks that emerge after a device enters production.
Device manufacturers are largely effective in releasing well-tested, secured devices. However, manufacturers often struggle against the more intensive challenge of keeping pace with emerging risks to already-active devices. As a result, only a fraction of known vulnerabilities actually receive manufacturer patches. Because of the ongoing nature of vulnerabilities, collaboration between healthcare systems, cybersecurity providers and manufacturers is crucial to making updated threat data available, and enabling informed risk mitigation activities.
Healthcare Delivery Organizations (HDOs)
The greatest burden of responsibility for IoMT device security falls squarely on HDOs, because the ultimate impact of device security, maintenance and risk management failures lands on their networks—and their patients.
Securing networks against unauthorized access and device tampering are crucial practices, as is implementing vulnerability scanning to recognize risks as they arise. When manufacturers fall short of ideal collaboration with HDOs and don’t provide the device patches needed to address known risks, HDOs may consider the expensive option of replacing a device that can no longer be updated. However, HDOs should first explore collaborations with cybersecurity providers, who can often offer alternative strategies for protecting unpatchable devices.
Cybersecurity Providers
Close strategic collaboration with an IoMT cybersecurity provider can pick up the slack when collaborations with manufacturers come up short. These partners can enable patch management capabilities for identifying and mitigating device vulnerabilities that represent actual risk and require attention. Cybersecurity providers can also help HDOs to recognize security gaps across IoMT device lifecycles, and implement risk limitation strategies. Additionally, cybersecurity providers can often bridge the collaborative process between HDOs and manufacturers, bolstering communication and responses when risks emerge and new patches become available.
Seven Steps for Establishing Effective IoMT Security
Once a collaborative partnership with their device manufacturers and cybersecurity providers has been established, HDOs should consider the following steps to optimize their IoMT security:
1) Know what you have. Thorough and continuous IoMT device scanning identifies the current state of your network, with the visibility and variables—such as device manufacturer, serial number, IP address, etc.—required for an ongoing security program.
2) Run a comprehensive risk assessment. Work with device manufacturers and cybersecurity experts to assess and prioritize IoMT device risks throughout the device lifecycle. As manufacturers report new vulnerabilities and publish patches, carefully adjust assessments and manage risk accordingly.
3) Introduce access controls and authentication protections. Deter unauthorized access to IoMT devices with tight access controls, including multi-factor authentication, and role-based access controls that customize permissions for each user.
4) Implement automated monitoring for threats and anomalies. Monitoring strategies should include automated detection and alerting to any threats or traffic anomalies that raise suspicion. Key indicators of potential compromise include IoMT device performance, logins, activations, and changes in network traffic volume and locations.
5) Practice ongoing, data-driven vulnerability management. Prioritize device vulnerability mitigation efforts to zero in on the vulnerabilities that attackers are most likely to exploit. Actively adapt vulnerability mitigation priorities as attacker practices shift, to continually optimize the effectiveness of security efforts.
6) Apply the most current patches and updates. Continuously apply device security patches and updates as soon as they become available. A challenge comes in scenarios where known vulnerabilities lack available patches. In cases where it doesn’t make business sense for manufacturers to provide a patch, they often won’t. Cybersecurity providers can react to such scenarios by assessing the actual practical risk that a vulnerability represents given its use case, and by implementing security countermeasures to protect devices lacking an official manufacturer-led solution.
7) Conduct continuous employee security training. The behavior of HDO employees represents a significant source of risk—and introducing a security training regimen can help minimize it. Regular training in security best practices makes the difference between employees that properly secure their login credentials, recognize phishing emails for what they are, and are fully aware of emerging threats that they may otherwise fall victim to.
Collaborate to Elevate Your Security Posture
HDOs shouldn’t feel that they’re going it alone when it comes to securing their vast fleets of IoMT devices. By leaning on device manufacturers and security providers and working together to optimize their security profile, HDOs can apply the latest information, patches and security best practices to protect their IoMT device fleets and, most importantly, their patients.
References:
[i] “Healthcare cyberattacks led to worse patient care, increased mortality, study finds,” Healthcare Dive, September 8, 2023, https://www.healthcaredive.com/news/cyberattacks-hospitals-disrupt-operations-patient-care-Ponemon/631439/
[ii] [ii] “IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million,” The HIPAA Journal, July 24, 2023, https://www.hipaajournal.com/2023-cost-healthcare-data-breach/