For healthcare organizations, connected devices on their network can create considerable risk. The industry is already a top target for cybercriminals, with an average of 1,463 attacks per week occurring in 2022. That number was up 74% from the previous year. The U.S. sector alone dealt with 1,410 per week. It continues to be the most targeted vertical, and medical IoT (Internet of Things) devices elevate the threat further. As a result, connected medical device cybersecurity is a critical component of healthcare.

Protecting your organization from these risks can be challenging, with emerging trends making it more complex. The best strategy begins with a risk-based approach.

Why Adopt a Risk-Based Approach?

The first principle of a healthcare IoT and IoMT (Internet of Medical Things) is to ground your strategy with a risk-based approach. There are several reasons why this should be a priority, including:

• The growth in connected medical devices on networks, both in care settings and those used in remote patient monitoring
• A scarcity of cybersecurity healthcare talent, making it more taxing to monitor networks properly
• The complexity of taking connected devices offline to remediate any vulnerabilities

With a risk-based approach, your focus becomes about reducing risk. You can’t eliminate it, but there are proactive measures that support this philosophy, including vulnerability assessments and penetration testing. Emerging threats in this landscape also create challenges in managing risk.

Emerging Trends Relating to Connected Medical Device Cybersecurity

The data cited above already gives a clear picture of the threat landscape and its expansion. Other trends have healthcare cybersecurity professionals on edge.

Cyber Budgets for Healthcare Are Just Now Bouncing Back for Some

Healthcare has always had a cybersecurity budget problem. They rarely have what they need to hire and retain staff and implement new technology. In 2023, budgets began to bounce back from pandemic lows as operating margins improved. Hospitals, primarily those in rural areas, are financially bleeding, which means their budgets are still stretched significantly. Thus, few funds exist for upgrades, pen testing, and adding staff.

A Lack of Cyber Talent Is Also Straining Internal Teams

The cybersecurity talent gap is growing, with millions of jobs unfilled. Healthcare also has little room to offer incentives and more competitive pay. As a result, those working in the field could reach burnout levels much faster, which often results in turnover. Fewer experienced team members usually equate to elevated risk.

Incident Recovery and Response Are Unique, Complex, and Urgent in Healthcare

What makes healthcare so attractive to hackers is the PHI (protected health information), and it’s more valuable than credit card or bank account numbers. That’s because this data is permanent, so ransomware is very effective. The impact of ransomware is much more urgent and concerning. A study found that cyberattacks caused more than 20% of healthcare organizations to experience increased mortality rates. The study also revealed other data points that illustrate how distinct healthcare is in the area of cyber incidents:

• Only 51% of healthcare organizations include connected medical devices in their cybersecurity strategy.
• Institutions not preparing for cyberattacks put patients at risk, and less than half of respondents have a documented response plan.
• The average cost of a cyberattack for healthcare is $4.4 million.
• A lack of funding continues to be a challenge for healthcare.
• IoMT devices are a preferred target for ransomware attacks.

Around 88% of cyberattacks in healthcare involve IoMT devices. One of the reasons why they are effective is that devices often lack regular updates. The Food and Drug Administration (FDA), which regulates connected medical devices, has issued new guidelines with the updated Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act). The new rule requires regulatory submissions for medical devices to include information related to the four core cybersecurity requirements, including how to address cybersecurity issues after the devices are in use.

Fueling these attacks is the fact that there are an average of 6.2 vulnerabilities per medical device. These assets are the backdoor for hackers, who can then unleash malware and ransomware to the entire network.

All these trends demonstrate that the threat is real and building, often impacting patient care.

Connected Medical Device Cyber Attacks Can Affect Patient Care

Alarmingly, there are a growing number of cyber incidents resulting in an impact on patient care. A survey of organizations that experienced an attack relayed that they caused the following issues:

• There were delays in procedures or tests, creating poor outcomes.
• Patients had longer lengths of stay.
• Attacks increased the number of patients transferred to other facilities.
• There were more complications from medical procedures.
• Mortality rates rose, with a direct line of 24% attributed to cyberattacks.

The effect on patient care is the most concerning, but attacks have other consequences.

Cyberattacks on Connected Medical Devices Cause Significant Negative Outcomes for Healthcare

There are more reasons that attacks on connected medical devices keep stakeholders up at night. First, there’s the data loss itself and the breach of PHI that requires a formal response and investigation to meet HIPAA regulations. As a result, organizations often must provide identity theft monitoring to impacted patients.

Second are the recovery costs, both direct and indirect. As noted above, the average is in the millions and includes:

• Lost staff time
• Disruption of operations
• Replacement of IT assets
• Remediation efforts
• Costs for patient communication and identity theft monitoring
• Fines for HIPAA noncompliance

Third is reputational harm and loss of trust. Healthcare is an industry that thrives or dies based on its credibility. A cyber incident can erode what an organization has built within its community, which could lead to patients using other providers. It may also make other businesses skeptical about partnering with them.

Looking over the landscape of connected device cybersecurity and the many components of using these IoT and IoMT assets, what can you do not become a victim? It goes back to instituting and following the risk-based approach.

What Does a Risk-Based Approach for Connected Medical Device Cybersecurity Look Like?

When building a risk-based strategy for medical devices, it should encompass four key areas. Let’s review each and what activities support them.

Elimination of Risk

There are areas within risk you can avoid. In this step, you should assess with an expert partner anything related to your IoT network of devices that is a risk but not a requirement for the system to run appropriately. It could include things like how devices communicate and narrowing those protocols.

Mitigation of Risk

Unfortunately, you can’t eliminate all of the risks. It’s the nature of having a connected network. The devices deliver real-time, valuable data, benefiting you and your patients. In this phase, you’re evaluating the level of risk, which would include a vulnerability assessment.

A vulnerability assessment for IoT and IoMT evaluates all devices connected to your network. The goal is to identify any missing patches or configurations, or flaws that hackers could exploit. At the conclusion, each weakness receives a priority level of:

• Critical: Vulnerabilities that are the most urgent and require immediate attention.
• High: These don’t hit the critical threshold but are still a high priority.
• Medium: These issues carry less risk but should be remediated.
• Low/Informational: This segment includes cautionary but not urgent vulnerabilities.

From the list, you would then address each issue with remediation recommendations from the firm executing the assessment. Continuous vulnerability testing is a best practice in IoT and IoMT cybersecurity.

In addition to these assessments, you should also hire firms to perform pen testing. A penetration test is a simulated cyberattack carried out by ethical hackers. It takes vulnerability assessments further, as the tester will attempt to exploit weaknesses in your network, just as an actual cybercriminal would.

Assessments and pen tests work in tandem, with the former occurring first. Pen testing also produces a report of found vulnerabilities and how to address them properly.

Transfer of Risk

The third action is to reassign the risk if possible. Transferring risk could include working with third parties that continuously monitor and assess your IoT and IoMT network. Outsourcing to a firm with healthcare cybersecurity expertise can reduce the strain on your team and lead to eliminating or mitigating risk outcomes.

Acceptance of Risk

The fourth element is that you must accept some risk that cannot be eliminated, mitigated, or transferred. It doesn’t mean you’re leaving gaps in your cyber defenses, but these things fall more into the low-priority category. For example, you may deprioritize certain vulnerabilities via segmented networks. It could involve a small cluster of devices where the risk of breach is low.

Developing a risk-based approach to IoT and IoMT puts your organization and its network in the best possible defense position. You don’t have to go on this journey alone. Having the right partner can make it more seamless.

Improve the Health of Your Connected Medical Device Network Cybersecurity with Blue Goat Cyber

Our team has extensive experience in all aspects of connected medical device cybersecurity, including assessing IoT and IoMT. We can perform vulnerability assessments, pen tests, and compliance audits. You can tap our team to help define your cyber strategy and support remediation tasks. Contact us today to learn more.