The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast amounts of sensitive medical data based on which they make critical decisions about patients’ health. But at the same time, they also raise serious privacy and security concerns.
Cybercriminals often target vulnerabilities within these devices to gain entry into the hospital network and compromise healthcare data. Attacks on these interconnected devices cause life-threatening harm to patients, disrupt services, and bring financial and reputational costs to medical centers.
As hackers increasingly target IoMT devices and present significant threats to medical organizations, it is crucial to combat these risks and ensure patient safety.
Current Security Landscape of Medical Connected Devices
The global healthcare medical device market is expected to reach $332.67 billion by 2027. The acceleration in IoMT adoption shows that the healthcare industry found this technology useful. However, this innovation also carries possible threats and challenges. Below is an insight into the key security challenges that these IoT devices come with:
Ransomware Attacks
Cybercriminals often target medical devices and networks to access sensitive information like protected health information (PHI) and electronic health records (EHR). They even steal this information to put it up for sale on the dark web and, in return, demand hefty ransom.
For instance, in the crippling ransomware attack against Change Healthcare, the criminal gang ALPHV/Blackcat stole 4TB of patients’ records and affected one-third of people living in the USA. The stolen data was up for sale on the black market until hackers received $22 million as a ransom payment. Such incidents erode patients’ trust and cause healthcare organizations to face HIPAA violations ranging from $100 to $50,000 per violation.
Vulnerabilities Exploitation
Medical devices such as infusion pumps or pacemakers are not designed with security in mind. As a result, they may come with security vulnerabilities that hackers can exploit to get unauthorized access to medical data. For example, the Nozomi Network Lab found several security flaws within the GE Healthcare Vivid Ultrasound family that hackers can exploit to launch ransomware attacks and manipulate patients’ data.
Previously, the Palo Alto Network discovered 40 vulnerabilities and more than 70 security alerts in infusion pumps, putting them at risk of leaking sensitive information. Similarly, McAfee researchers identified significant vulnerabilities in two types of B.Braun infusion pumps that could enable hackers to deliver a lethal dosage of medications to suspected patients. Although no affected case was reported, this event highlighted the gaps in medical device security and the need for improvement.
Outdated and Unpatched Medical Devices
Outdated systems remain a top challenge for medical IoT as healthcare organizations continue to rely on legacy systems. Many of these devices aren’t designed with security in mind and stay in use for years and even decades.
The device manufacturers are reluctant to upgrade the system software because it’s expensive. This increases the risk of security flaws remaining undiscovered and unpatched, making the device more prone to cyber-attacks. These outdated devices serve as an entry point for hackers to access patients’ data and disrupt healthcare operations.
High-Risk Devices
The FBI cyber division has warned that the average healthcare device has 6.2 vulnerabilities, and 53% have active critical vulnerabilities. Unfortunately, the security teams can only address 5-20% of known vulnerabilities each month while new vulnerabilities are constantly added. This makes these devices highly valuable to hackers.
Forescout Research, in its Riskiest Connected Devices in 2024, named the five riskiest IoMT devices in 2024. This includes:
- Medical information systems
- Electrocardiograph machines
- DICOM workstations
- Picture archiving and communication systems (PACS)
- Medication-dispensing systems
Researchers have warned that these devices could pose enormous risks to patient lives and personal information. For instance, the report found that DICOM and PACS are used in medical imaging, often run on legacy IT operating systems, and are unencrypted. This could allow attackers to tamper with medical images and even spread malware.
Supply Chain Issues
Hackers can exploit flaws in the supply chain mainly through exploiting unpatched vulnerabilities to disrupt healthcare operations and patient care. One example is the cyber attack on Swedish software firm Ortivus, which impacted at least two ambulance services across the UK without access to electronic patient records. The incident highlighted the flaws in supply chain security and required healthcare providers to ensure that their vendors are secure and resilient against such attacks.
The Future of Medical IoT Security
Investing in emerging technologies like blockchain technology and zero-trust framework can enhance healthcare organizations’ security posture. These technologies have advanced ability to detect risks within medical devices, prevent unauthorized access, and ensure compliance.
Embracing Blockchain Technology
Blockchain technology plays a vital role in securing patient health records and ensuring privacy. It offers a secure and decentralized platform where each block links to the previous one, ensuring the information remains unchanged for storing sensitive healthcare data. By encrypting and distributing the data across the healthcare network, blockchain ensures that records are accessible to only authorized parties. This reduces the risk of data breaches, improves patients’ trust, and helps comply with regulations like HIPAA.
The security and transparency provided by blockchain technology is an ideal structure for transmitting Electronic Health Records (EHRs) and other medical data among connected devices. Blockchain’s cryptographic protections make transfers more secure than conventional encryption, preventing tampering and risk of data breaches. This also ensures that healthcare professionals can access updated patient information, which improves diagnosis and reduces the risk of errors.
Healthcare organizations might use blockchain technology to optimize the IoT supply chain, providing end-to-end traceability and visibility. Blockchain records each step of the supply chain from manufacturing to delivery and ensures that medical supplies are authentic. This tracking allows healthcare professionals to verify where their IoMT endpoints come from. They could then hold third-party providers to higher standards, ensure they only use secure devices, and prevent supply chain attacks.
However, medical organizations incorporating blockchain systems must consider the limitations it poses. Blockchains consume considerable energy, which can be an issue for facilities with limited hardware. Medical centers must review their network resources before implementing blockchain technology. Also, it’d be best to consult blockchain experts to ensure these networks won’t consume much of the system’s capacity.
Implementing Zero-Trust Framework
Zero Trust has emerged as a great security strategy that prevents unauthorized access to healthcare data. This security framework requires both internal and external users to authenticate, authorize, and verify for security configuration and posture before getting access to apps and data.
Network segmentation is an integral principle of ZTNA that improves IoMT security by categorizing devices based on their risk level, function, and data sensitivity. For instance, it isolates critical medical devices from less critical ones, preventing lateral movement by attackers and the impact of a potential breach.
The ZTNA approach also adheres to the principle of least privilege, restricting the access rights of users and devices to the minimum privilege to perform their tasks. By enforcing access control policies, ZTNA limits the opportunities for hackers to exploit vulnerable IoT devices and thus reduces the attack surface.
Apart from this, the zero-trust framework allows medical professionals to identify and gain visibility into what devices are connected to their networks and the resources they access. It involves real-time tracking and behavioral analysis of medical devices, triggering alerts for deviations from typical patterns. It then notifies the security teams to respond to threats promptly. This way, ZTNA limits network traffic for unauthorized devices and maintains a secure IoT environment.
On the downside, ZTNA implementation may cause significant costs, posing challenges for organizations with limited budgets. Once implemented, medical professionals must also continuously verify their identity to access data or communicate with patients. Professionals familiar with the traditional security model find it frustrating and affecting productivity, so they resist transitioning to ZTNA. By running zero-trust trials and training employees about the value of ZTNA, healthcare organizations can overcome these challenges.
The Need for Advanced Measures to Boost IoMT Security
Healthcare organizations must take proactive steps to protect interconnected medical devices from potential risks. Here are some measures security teams should take to reduce their exposure and create a safe place for patients and staff:
- Evaluate the security measures implemented by medical IoT device vendors. The vendor assessment activities include checking access controls, encryption, software patching, and vulnerability management processes to ensure visibility and help mitigate potential risks.
- Utilize healthcare phone systems so healthcare organizations can focus on critical security measures while ensuring secure communication between medical devices and efficiently managing patient inquiries.
- Security teams must follow industry standard guidelines for medical devices described by FDA, NIST, IMDRF, and ISO. These initiatives establish cybersecurity principles and technical standards to guide healthcare providers and manufacturers in addressing security risks.
- Manufacturers should consistently release software updates, firmware, and patches. The security teams must promptly apply the patches and updates to protect against known threats or new vulnerabilities.
- Security awareness training should be an ongoing process instead of a one-time event. Healthcare professionals should receive regular training as this empowers them to detect, respond, and mitigate security threats effectively.
- Conduct a comprehensive risk assessment for each connected medical device to identify vulnerabilities and potential weak points. Categorize threats by severity and implement immediate actions to address high-risk issues.
Final Thoughts
The Internet of Medical Things (IoMT) is an intuitive innovation within the healthcare industry that aims to revolutionize patient care and healthcare management. With these devices, medical professionals can streamline healthcare processes and improve the quality of patient care.
As the reliance on medical devices is full of security and privacy risks, medical organizations must stay informed about the latest threats and practice security measures to address these issues. Implementing ZTNA and blockchain technology helps mitigate risks and ensures the safety and security of healthcare data.