Today, hospitals and healthcare facilities are increasingly connected under the IoMT (Internet of Medical Things) paradigm. While connected devices can enhance the quality of care for patients, they also introduce cybersecurity concerns. This article looks at some of the cybersecurity challenges facing hospitals and how they can be dealt with, based on an interview with Shankar Somasundaram, CEO of Asimily.
Increasingly, hospitals across the globe rely on connected devices to improve efficiency and quality of care. Devices monitoring patients’ vitals can immediately alert medical staff when something goes wrong. Patient falls can also be dealt with quickly when detected by thermal cameras or radar.
“There’s a particularly broad range of network-connected devices in healthcare facilities, and deployments continue accelerating,” Somasundaram said. “On the patient-facing side, you have infusion pumps, patient monitoring systems, ventilators, and imaging systems like MRI machines and ultrasound devices. But beyond these clinical devices, hospitals also run connected security cameras, badge readers, HVAC controls, etc. The average hospital has around 30 connected devices per patient bed, so you’re looking at thousands of IoT, OT, and IoMT systems converging on a single network.”
Security risks and consequences
While IoMT devices can be beneficial for hospitals, they can also be used as vectors by hostile actors to launch various types of attacks, for example ransomware attacks.
“Ransomware remains one of the biggest threats to hospital systems right now. Attackers understand this industry faces enormous pressure to restore operations quickly because downtime directly affects patient outcomes, which makes them more likely to pay. While phishing campaigns targeting hospital staff remain a common initial access vector, connected medical devices or IoT or OT devices increasingly serve as an entry point. Many such IoMT/IoT/OT devices run legacy operating systems that cannot accept patches and were never designed with security as a primary consideration,” Somasundaram said. “DDoS attacks targeting hospital networks also occur, though typically with less frequency than ransomware.”
According to Somasundaram, once an attack happens, the consequences can be quite severe.
“According to the Ponemon Institute, the average cost of recovering from a cyberattack in healthcare is now US$4.4 million when direct costs and lost revenue are both factored in,” Somasundaram said.
But financial impact is only part of the picture. “When hospital systems go down, clinical staff are forced to revert to paper-based workflows, which slows care delivery at exactly the moments when speed matters most,” Somasundaram adds. “Then there’s the regulatory dimension. Hospitals face significant obligations under HIPAA, and a breach that exposes patient data can result in substantial fines and mandatory audits on top of the recovery costs.”
Challenges facing hospital operators
It’s important, then, that these cyber threats are properly addressed. Yet in doing this, hospital security teams face various challenges. One of them is visibility. In fact, according to
Asimily’s own survey, 43 percent of hospital chief information security officers (CISOs) cite a lack of complete device visibility as the top challenge they want to solve first.
“Within most hospitals … procurement and facilities teams own procurement and deployment of IoT and OT devices. Security teams frequently find out after the fact that a new device has been added to the network. There’s often no standard process requiring a handoff of device information at the time of deployment, and that’s increasingly risky,” Somasundaram said.
He adds: “The visibility problem gets deeper when you factor in third-party technicians, which almost all healthcare systems use. Biomedical or clinical engineering vendors or service technicians regularly come on-site to service or update devices, and they don’t always communicate configuration changes back to the security team.”
Then there’s the issue of data overload, as the Asimily survey points out 20 percent of CISOs cite data overload as the biggest device risk management barrier.
“When you have hundreds of thousands of connected devices generating network traffic simultaneously, the volume of signals flowing into a security dashboard becomes unmanageable without intelligent filtering,” Somasundaram said, adding that solutions that filter out raw alerts and ingest only actionable signals are recommended.
“Raw alerts are the unfiltered output of that activity. They come in high volume with low context, and they require a security analyst to manually determine whether something warrants investigation. Actionable signals are what you get when you layer in device context, network topology, and behavioral baselines. So instead of just seeing a generic alert about unusual traffic, a security team sees that a specific infusion pump or IP camera on a specific floor has initiated communication with an external IP that doesn’t match any known vendor or update server, and that the device in question has a known vulnerability aligning with a recently published exploit. Knowing that detail, you act immediately,” he said.
Somasundaram also mentions the importance of network segmentation, which is a strong defense measure against cyberattacks. “When devices are properly segmented, a compromised infusion pump on one floor cannot communicate with an administrative workstation or an EHR system on another, or an IP camera or HVAC system cannot be used to a server containing patient data. That shrinks the blast radius of an attack considerably,” Somasundaram said.
Asimily's solution
This is where Asimily’s solution comes in. A cyber asset and exposure management platform, Asimily enables intelligent filtering, facilitates network segmentation and gives security teams a unified view of every deployed connected device in an IoMT environment.
“The platform discovers and inventories every device using network monitoring, protocol-based analysis, deep packet inspection, AI and ML-based traffic analysis, APIs and protocol-based querying. Security teams get a complete, continuously updated picture of what's on their network without having to rely on manual intake processes or departmental handoffs,” Somasundaram said.
“Our platform also tackles network segmentation and micro-segmentation directly, generating segmentation recommendations based on actual observed device behavior,” he continues. “Asimily also integrates threat detection and response capabilities, empowering teams with anomalous behavior monitoring and device rules that can capture potential threats. With this functionality, Asimily ensures that teams have network context and understand normal device behavior, so their limited time is spent effectively.”