IoT in healthcare, sometimes also referred to as the Internet of Medical Things (IoMT), can include simple devices designed for repetitive tasks, as well as highly important devices used for administering critical care and lifesaving drugs. There are thousands of these devices in use in healthcare settings up and down the country, however, the problem lies in the fact that many IoMT devices lack cybersecurity provisions and are becoming increasingly insecure .
Much of the issue stems from the age of the devices being used, with many of them five, ten or fifteen years old. They were never designed for the cybersecurity challenges we face today. On top of the age of these IoMT devices, the manufacturers haven’t done much to protect their devices, or provide timely cybersecurity updates to known vulnerabilities.
Many systems are never patched during their entire lifetime, so the result is that often these devices offer an easy target for cyber criminals looking to establish a foothold from which to launch ransomware and extract regulated data for monetary gain.
Today, IoMT accounts for over 75% of endpoints connected to healthcare networks. They include Xray, CT and PET scanners, patient telemetry systems and infusion pumps, a growing number of robotic devices used for neurosurgery, pharmacy, and laboratory work, as well as automated building management systems that control lifts, fire alarms, and HVAC systems, that maintain positive and negative air pressure rooms for pandemic disease control.
What does poor IoMT cybersecurity and a lack of digital hygiene in healthcare look like?
It has been reported by the Interim CIO at NHSX that 21 million items of malicious activity get blocked every month within the NHS. As the largest employer in the world, the NHS will always be a target for cybercrime due to the sheer value of its medical data. At present, 30% of the world’s data is generated through the healthcare sector, and this is due to increase to 36% by 2025. To better prepare our healthcare systems in 2023, what we need is to address cybersecurity throughout each IoMT device’s lifecycle in a preventative and proactive way, as well as incorporate an approach that puts cybersecurity measures and digital hygiene at the centre of each organisation’s infrastructure.
A lack of a strong authentication process
Most technology requires a password, but IoMT doesn’t typically require authentication for use. A heart monitor for example, is put on a patient and simply starts recording their cardiac activity. A medical professional can then access the data, and in many cases, does not require a password to see that data. This is something that can be easily remedied by the IT department of a clinic or hospital, but it’s important to remember that when it comes to authorisation, relying on weak passwords is almost as bad as not having a password at all. With 82% of breaches involving a human element, and with poor credentials being the primary means by which a hacker can infiltrate an organisation’s data, training healthcare staff to keep passwords safe and secure, as well as avoid using simple, easy to guess passwords is paramount to ensuring good cyber hygiene in the healthcare sector. A medical IT department should set up strong authentication protocols, such as multi-factor authentication (MFA) to help avoid these breaches.
The ability to access IoMT devices from an external device
Connected medical devices are designed to be accessed via other devices, such as smartphones for example. This subsequently offers an attacker another direct route into the medical device itself, from where they could further infiltrate healthcare data. Once again, strong authentication processes can help mitigate this, but so can strong security around the devices themselves. We tend to think of cyberattacks as something that happens only online, but it’s possible, for example, that an attacker might steal a laptop from an unsecured location in a hospital and get access to medical data that way. Ensure your cybersecurity protocols means only authorized personnel can access computers and the other devices with IoMT access.
Buggy or unpatched software
Cybercriminals rely on the delayed patching of software. Bad actors know the glitches in your software, and they also know when security patches are being pushed out. Make sure cybersecurity patches are promptly installed so that criminals don’t exploit the IoMT weaknesses they read about in the release notes of the latest updates. Additionally, many IoT medical devices are never patched during their entire lifespan, meaning critical updates are delayed as they need to be thoroughly tested to make sure they do not interfere with the function of the device. The fact that a medical device can easily be twice the age of a PC reveals a weak spot that cyber criminals are waiting act on.
Unsecured network access
When your IoMT devices are on the same network as the rest of your infrastructure, you open yourself up to cybersecurity problems and attacks on not just your IoMT devices, but the entire system. Prevent this by segmenting your network and using one segment of the network only for the IoMT. That way, if an attack on your devices happens, it stays in one area of your network.
Lost devices
The problem with devices is that they can be lost. It’s easy to put down a phone down, or take off a smartwatch, not to be able to find it again. This is the same for some IoMT devices. Either they can be stolen from a medical facility, or a person with a medical device may take them offsite and lose them. It’s important to put processes in place to ensure that devices are difficult to lose, and to also have a plan in place for when devices go missing. Strong authentication, tracking, and other similar methods are a way to make sure lost devices don’t become gateways into your health organization’s IT infrastructure.
Despite the widespread prevalence of these crucial systems within our healthcare settings, most providers have a hard time accurately understanding what, exactly, is connected to their network, let alone what risks each of these endpoints represents to protecting the confidentiality, integrity, and availability of healthcare data. Nor do many of them have an effective strategy to address rising risks, including a protocol of preventative measures to mitigate these risks in the first instance. A lack of vendor approved patches, and limited understanding of what specifically is running on medical devices calls for greater need for Software Bill of Materials (SBoM) within healthcare.
Software bill of materials (SBOMs) enable healthcare organisations to manage medical device security risks while promoting transparency between manufacturers and providers. With threats mounting, breaches at a record high and a sheer lack of cybersecurity and digital hygiene among healthcare settings, what good looks like within our healthcare sector lies heavily on the level of cybersecurity and digital hygiene not only built into an organisation’s infrastructure, but how it is upheld and maintained by the staff within it.
Written by Phil Howe, Chief Technology Officer at Core to Cloud