Two of the greatest unmitigated risks today in the healthcare sector are the security of medical and other Internet of Things (IoT) devices and third-party vendor management (TPVM) including supply chain security. Covid-19 taught us that the integrity and availability of supply chains could be very unpredictable with the delivery of sub-par PPE or none at all. Rising geopolitical tensions and blockages of shipping routes have brought about new practices including near-shoring and safe-shoring, while the integrity of both the hardware and software supply chain have recently been challenged with extra substrates discovered in motherboards manufactured in China and numerous easily compromised backdoors built into the firmware of all sorts of computer devices.
IoT and in particular medical devices, have long been acknowledged as the open window to healthcare security. Until recently, little attention or consideration of cybersecurity was incorporated into the design of Internet of Medical Things (IoMT) systems, and no plan or provision created to patch or upgrade devices once manufactured. These systems typically have a long lifespan and are amortised by providers over decades rather than a few years as a Windows workstation usually is. This means that security vulnerabilities compound over time leading to extreme risks in many cases, before devices are scrapped and replaced. They also have very lengthy and complex supply chains of hundreds of components from thousands of discrete vendors sourced from all over the world, that go into their manufacture. Today it is often impossible to identify who wrote the firmware that controls a device camera or a network interface card for example. Thus, remediating identified risks becomes very difficult. The design limitation of IoT systems combined with their complex extended supply chains, unfortunately turns IoMT risk into the perfect storm.
Supply Chain Risk
According to Gartner, by 2025 45% of organisations globally will have had their software supply chains breached, a threefold increase from 2021. Some of the most dangerous attacks over the last five years have been on the supply chain including the infamous SolarWinds attack, a 2020 Russian intelligence FSB data hack that affected 18,000 customers, including government agencies.
Another headline grabbing supply chain attack was that of the infamous 2017 ‘Not Petya’ attack, the singularly most destructive and expensive cyberattack of all time. It destroyed the computer systems of many of the world’s largest corporations and is attributed with causing between $10bn and $12bn in damages. Targeting M.E.Doc, a popular Ukrainian tax-accounting application, this software supply chain attack was eventually attributed to the Russian military GRU, an attack which spread way beyond Ukraine.
In the healthcare sector, NHS 111 was the victim of a brutal ransomware attack in 2022 after Russian Lockbit ransomware criminals infiltrated Advanced, a tech company providing software for various parts of the health service. This attack caused significant disruption to NHS services including patient referrals, ambulance dispatch, appointment bookings and emergency prescriptions.
IoMT Security
As the healthcare sector continues to invest in automation and in particular, a growing number and variety of IoT and IoMT devices, this is resulting in a greatly expanded attack surface. Thus, securing these devices and the supply chain has become a priority. The global IoT in healthcare market is set to grow by 17.8% annually between now and 2028, meaning these risks will continue to grow unless addressed.
The benefits of IoT devices in healthcare are considerable. From patient telemetry systems, infusion devices used to deliver drugs, ventilators to keep patients alive, and diagnostic machines, like MRI scanners and X-Ray machines, all the way to HVAC systems to contain airborne pathogens like Covid-19 in a hospital environment.
On average, healthcare organisations have more than 26,000 network-connected devices, 75% of which are IoT and unmanaged by IT staff whose job it is to manage and patch Windows based PCs. This makes IoMT a risky proposition to manage. However, the biggest challenge for healthcare is the complexity of these connected networks together with a lack of visibility of what’s residing on each system.
Many hospitals don’t know what connects to their networks leaving them open to attack and an easy target. What’s worse, most medical devices aren’t designed with security in mind, but rather for clinical use and safety. They were tested by The Food and Drug Administration (FDA) for clinical safety and functionality, and if they passed the test, were approved for use on patients.
All of these thousands of endpoints to critical patient care systems need protecting against the risks of threat actors compromising the device and wider network. And for this to happen, healthcare not only needs to be able to find, assess and secure its IoT devices fast, but the industry and patients need reassurance that a device meets regulations and is secured against the threat of a cyberattack.
IoMT Regulations
Medical Devices are regulated first and foremost by the US Food and Drug Administration (FDA), since most medical devices are designed and manufactured in the USA from components sourced from all over the world. FDA rules are then mostly adopted locally and embodied into MHRA rules in the UK, TGA rules in Australia, etc.
In 2022, the US Congress passed the PATCH Act, designed to greatly improve the security of medical devices. Much of this act was embodied into new FDA rules which went into effect in 2023. MHRA, TGA, etc., are all in the process of updating local rules to reflect these FDA changes. The new rules place a greater responsibility on medical device manufacturers to design their devices securely, to be extensible for future upgrades and patching, to test and publish vulnerability disclosures for each of their devices, and to build, test, and release, security patches in a timely manner for those who run and manage medical devices in a delivery setting. The changes also include a provision for the FDA to refuse approval acceptance for new devices that fail to meet these requirements. It is highly unlikely that a medical device not approved by the FDA would be approved elsewhere, so this is a global game changer for the healthcare industry and will greatly help to drive improvements in IoMT cybersecurity for new devices.
While the new FDA rules are welcomed, and somewhat overdue, they are not retroactive and do not apply to devices approved prior to the Refusal to Accept rule’s implementation date of 1st October 2023. This leaves, potentially, millions of older unmanaged and unpatched devices vulnerable to cyberattack. Given a 15-to-20-year lifespan for medical devices, this suggests that IoMT may remain a security liability for many years to come.
To mitigate the risks against these devices, healthcare must adopt a different security strategy, one that includes compensating security controls like network micro-segmentation policies to isolate connected medical devices in pre-defined network zones. A zero trust approach for high risk connected assets. A strategy that also includes real-time device inventories for a comprehensive record of every healthcare IoT device, including manufacturer, model, operating system, software, firmware, usage, and more. And one that captures both known and unknown devices, providing continuous device visibility and monitoring of all IoT devices.
Being able to dynamically capture and profile healthcare IoT devices on the network, even new and previously unknown ones, will give healthcare IT teams the evidence, and therefore the confidence, to hold manufacturers of connected medical devices accountable when vulnerabilities are found.
Hospitals also need to ensure that medical device manufacturers patch systems regularly and disclose vulnerabilities quickly. And also, to log with procurement any manufacturer which claims it doesn’t have a patch for identified device vulnerabilities. This will help the organisation to track which manufacturers are the most compliant. Vendors that fail to secure their devices, can thus be eliminated from preferred supplier lists and become ineligible to lease or sell their devices in future.
Finally, by providing a real time view on the status of risks, vulnerabilities and any missing patches, providers can validate where patches have been successfully applied and risks remediated. They can also quickly identify any devices that have been missed or where a patch needs to be re-applied. This validation capability allows hospitals to better manage manufacturers and any third parties who manage devices for them to ensure that agreed tasks have been fully completed to satisfaction.
By Richard Staynings, Chief Security Strategist at Cylera, global leaders in healthcare IoT asset intelligence and security solutions that optimise care delivery, service availability and cyber defenses across diverse connected medical device and infrastructure.