The majority of IoMT devices have vulnerabilities. On average, IoMT device manufacturers publish 2000 to 3000 vulnerabilities every month.
One of the biggest technological shifts in the health care industry is the Internet of Medical Things (IoMT). Connecting various devices and integrating them to operate seamlessly, IoMT offers a way to radically improve day-to-day operations in health care and better patient service.
But experts point out several concerns about IoMT that require immediate attention. The majority of IoMT devices have vulnerabilities. On average, IoMT device manufacturers publish 2000 to 3000 vulnerabilities every month. According to Shankar Somasundaram, CEO of Asimily, even the best manufacturers only patch about 1 in 50 of their known vulnerabilities, leaving a yawning gap for healthcare organizations to consider.
“Major concerns include: the sheer number of vulnerabilities and issues potentially putting their organizations at risk, the reality that most of those vulnerabilities cannot be patched, and the organization’s limited security resources to address these threats,” Somasundaram said. “The fact that healthcare systems often don’t have a complete or accurate inventory of their IoMT devices only adds to the challenge; you can’t secure what you don't know you have.”
Also read: Most crucial health care security concerns post COVID-19
Best practices to protect
It's just as important to understand that not every health system device with a vulnerability is equally vulnerable. While some vulnerabilities are IoMT-specific, most are platform-level vulnerabilities that reside in the OS or the commercial software (such as a web browser) that IoMT applications use and do not necessarily impact devices as they would a traditional endpoint or server.
Here are some best practices that customers and security teams can follow to minimize threats.
Ruthless prioritization is critical. With thousands of new vulnerabilities published monthly, you’ll never have the time to fix every minor vulnerability or micro-segment every device.
“You must focus on the most severe issues on the most critical devices,” Somasundaram said. “Doing so effectively means considering the risk of the vulnerability itself, the likelihood of exploitation on the specific device, and the importance of the device to your operations.”
- Holistic approach
Healthcare systems should also think about vulnerability remediation holistically: even if a patch is not available, there may be configuration or behavior changes that can effectively mitigate or even eliminate the risk of a particular vulnerability.
“Since micro-segmentation is often very labor-intensive, healthcare organizations should save this option for when other solutions aren't available, rather than relying on it as their primary security strategy,” Somasundaram added.
- Prevention better than cure
One of the best ways to prevent security issues is to avoid creating them in the first place. That means considering cybersecurity risk from the beginning of the procurement process. While many organizations are already doing this to some extent, there’s the tendency for security team input during procurement to devolve into compliance theater—or a box-checking exercise that doesn't help anyone.
The more useful approach relies on real-world technical data that demonstrates how the devices behave in the field. Analyzing the reputation of the manufacturer overall can also be useful. Are they generally on top of security issues with their product portfolio? Do they release patches?
- Get the basics right
It's also beneficial to implement a solid foundation of general security best practices, which apply to IoMT devices as much as anything else. Those best practices should include preparing well-defined incident response plans, running tabletop exercises, and having a monitoring solution (ideally one that an actual person monitors) checking device logs for anything anomalous.
Major challenges to overcome
Healthcare systems absolutely require dedicated solutions for performing the in-depth analysis it takes to assess and prioritize IoMT security risk accurately. Exploit analysis continually finds that in an average IoMT environment, 90 percent of vulnerabilities don’t present any risk due to the specific environmental factors and connections in that ecosystem.
Without knowing precisely which 10 percent of vulnerabilities to focus on and how attackers will exploit those actual risks, security teams will have difficulty being effective.
“Additionally, many IoMT devices do not support on-device anti-malware agents, which many organizations rely on as a core security layer,” Somasundaram said. “It’s not uncommon for legacy IoMT devices to crash if subjected to such scanning. Many devices also fail to support detailed logging that simplifies incident response and forensic analysis. Therefore, augmenting IoMT security with network-side systems that capture traffic and log all device connections is crucial to filling that gap.”
Security with seamless operational technology
Perhaps the biggest challenge is ensuring security without hurting the experience of patients and health care workers. Somasundaram suggests that clear ownership is important here. Currently, ownership over many essential IoMT security responsibilities sits in a vague space between the Biomed / healthcare technology management (HTM) side and the IS/IT side. The trouble is, if everyone owns something, nobody does—and key precautions then slip through the cracks.
“Ensure lines of responsibility and reporting are well-defined: you don’t want to be figuring this out in the middle of a crisis,” Somasundaram said. “Running tabletop exercises will provide valuable practice and experience, preparing teams for when true threats do emerge.”
Additionally, security teams at healthcare organizations need to understand that medical care environments are unlike any other IoT environment, especially since patient care will always take priority over security. In many cases, leaving a risky IoMT device in place will be the right decision for the organization because its benefits to patients carry more weight than the potential risks.
In Somasundaram’s own words, security professionals need the perspective to understand those decisions and build mitigation strategies to optimize security even when they’d prefer to avoid those challenges.