The Evolution of Modern Healthcare
A greying of the population, a growing demand for more elective surgeries to correct joints damaged by increasing obesity and a sedentary lifestyle, and earlier diagnosis of medical ailments, are all leading to increased demand for medical intervention and healthcare services. With the recipients of most of these services already retired and therefore net beneficiaries of state healthcare services rather than economic contributors to health insurance or taxes, this is leading to a financial crunch for most health systems. One where demand vastly outstrips supply.
Developments in medical technologies and the drive for greater efficiencies in healthcare delivery are leading to increased adoption of medical and other health IoT devices. The need for nursing staff to physically check on patients every half hour has now been replaced by sophisticated patient telemetry systems that report back to a central nursing station where two or three nurses can do the work previously done by a dozen.
Indeed, advances in technologies are fuelling an almost exponential growth in IoT devices right the way across health systems helping to automate previously manual labour-intensive processes and workflows, and at the same time driving patient outcomes through improvements in diagnosis and treatment. However nearly all of these devices are ‘connected’ to the medical network and many need to communicate directly with core healthcare IT systems that, for example, manage the electronic patient record (EPR).
However, healthcare IoT (HIoT), sometimes also referred to as the Internet of Medical Things (IoMT) is by and large inherently insecure. These are simple devices designed usually for simple repetitive tasks. Many are 10 or 15 years old today and most were never designed for the cybersecurity challenges facing providers in the 2020s. Nor have device manufacturers done a good job of supporting their devices or providing timely security updates to known security vulnerabilities. Many systems are never patched their whole life. The result is that HIoT systems represent an easy target for cyber criminals looking to establish a foothold from which to launch ransomware or exfiltrate regulated data.
Today HIoT accounts for over 75% of endpoints connected to healthcare networks. They include Xray, CT and PET scanners, patient telemetry systems and infusion pumps, a growing number of robotic devices used for neurosurgery, pharmacy, and laboratory, as well as automated building management systems that control lifts, fire alarms, and HVAC systems to maintain positive and negative air pressure rooms for pandemic disease control.
Yet most providers have a hard time to accurately understand exactly what is connected to their networks, let alone what risks each of these endpoints represents to protecting the confidentiality, integrity, and availability of healthcare data.
Nor do most have an effective strategy to address rising risks, a lack of vendor approved patches, or even an understanding of what is running on medical devices, what is known as a Software Bill of Materials (SBoM). Their only option to reduce risks is to throw out millions of Pounds, Euros or Dollars of still working medical equipment and replace these with newer systems. A manual inventorying of HIoT assets and risk assessment in the past has required thousands of hours work in a losing battle as systems are powered on and off, moved about hospitals or sent home with patients. Results are always inaccurate and out of date, thanks to a point-in-time assessment.
Securing Medical Devices & HIoT
Thankfully, advances in the next generation of IoT security tools today allows providers to dynamically automate the inventory, risk analysis and risk remediation of HIoT connected assets via compensating security controls. This is accomplished using artificial intelligence (AI), machine learning (ML), and DigitalTwin technology. These technologies allow highly accurate profiling and identification of discrete systems, passive risk assessment of often fragile life-sustaining equipment and seamless integration, automation and orchestration using existing network access control (NAC) tools.
This is a great example of how new risky medical technology is being remediated by new innovative security tools. Where security patches cannot be applied to HIoT devices, compensating security controls in the form of ‘enclaving’ or ‘network segmentation’ of medical devices serves as an effective form of remediation, reducing risks to patients and the medical network. This compensating security control permits the continued safe use of otherwise end-of-life medical devices and is widely accepted by regulators.
Longer term, we need new regulation to force manufacturers of devices to design and build more secure systems, to publish an SBoM of what goes into each device so hospital security teams are not left in the dark, to perform regular risk assessment of their systems, and to make patches and updates available in a timely manner to customers – in this case healthcare providers. Without regulation it is doubtful that manufacturers will move from their current stance.
The second thing that needs to happen is that medical devices need to be designed not for obscurity as they are at present but for future extensibility. This means oversizing CPU, ROM, RAM and any local file storage rather than a minimalist approach that caters only to today’s operating system and application requirements. This way embedded OS upgrades can be supported as can security updates to applications running on these systems. Cybersecurity needs to be a core design consideration from the outset rather than an afterthought as it has been till now. This should include the security of the hardware and software supply chains to ensure systems are not already back-doored, and an operating plan to support devices with upgrades throughout their published lifespan. This will no doubt moderately increase device purchase prices but will hugely reduce provider support costs and risks to patients.
Finally, the medical device approval process needs to be streamlined and condensed. Today it takes three to seven years on average from concept to approval to bring a medical device to market. Much however depends on the type of device (Class 1, 2 or 3) and whether considered low, moderate, or high risk to patients. Only in the last few years has FDAi pre-market guidance to manufacturers included cybersecurity and this is mirrored in many ways with post-market security guidance to providers responsible for their upkeep.
Plainly, device manufacturers, regulators, and customers of medical devices all have some catching up to do in order to reduce growing risks to patients of healthcare cyberattacks. However, given much longer lifespans for HIoT devices than for traditional IT systems such as PCs and laptops, it may take many years and many creative new compensating security controls to mitigate risks till a new generation of medical and other healthcare IoT devices dominate provider establishments.
About the author
Richard Staynings, Chief Security Strategist, at Cylera is a globally renowned thought leader, author, public speaker, and international luminary for healthcare cybersecurity. He has served on numerous working groups and boards and has helped governments and private providers formulate long term strategies and tactical action plans for improved cybersecurity and patient safety across the industry and across the world.
