Securing IT, OT, IoT, and IoMT in healthcare

With the rise of the Internet of Medical Things (IoMT), the healthcare ecosystem is getting smarter – but more vulnerable to cyberattacks, too.

From robotic arms that aid surgeries to wearable or ingestible sensors that pair with your smartphone to monitor your health, connected medical devices are a market in expansion. Smart hospitals are expected to deploy over 7 million IoMT devices by 2026, which is more than twice that of 2021, per Juniper Research.

What is the Internet of Medical Things?

As a subset of the Internet of Things (IoT) in healthcare, Internet of Medical Things refers to connected healthcare devices and applications. Since medical devices are not designed with security in mind, they are often vulnerable to cyberattacks, and have become a growing target of cybercrime.

IDC predicts there will be over 55 billion IoT devices by 2025. And it’s concerning that 57% of healthcare security professionals don’t fully understand the risks associated with unmanaged IoT devices, according to the Armis report titled State Of Enterprise IoT Security: A Spotlight on Healthcare.

A spotlight on healthcare

There’s even a lack of understanding of what counts as IoT in healthcare. The same report found that:

  • 48% think MRIs, X-ray, and ultrasound machines that connect to the network do not count as IoT technology.
  • 41% think biomedical devices (e.g. infusion pumps, ventilators, crash carts) that use Wi-Fi or Bluetooth do not count as IoT-enabled devices.

This knowledge gap hinders hospitals’ ability to implement the right medical device security solution. IoMT devices are often unmanaged and, as a result, more vulnerable than managed computers because they cannot be secured with traditional security tools, such as agents and scans.

IoMT examples that expand your cybersecurity attack surface

Trends of digital transformation in healthcare have increased the push for IoMT technology. But while implementing those innovations, equally important is to build hospital cybersecurity resilience along the way.

Here are four IoMT examples to take into account when identifying your cyberattack surface. That refers to all the possible entry points for an unauthorised access.

  • Robotic surgery. With the use of robotic arms, doctors can perform more complex and precise procedures, even remotely. These procedures are considered less invasive and have use cases such as coronary artery bypass and mitral valve surgery.
  • Remote monitoring. Personal emergency response systems and remote patient monitoring solutions can send automatic alerts in case of distress.
  • Wearable devices. Sensors and trackers can monitor details such as sleep patterns, glucose levels, blood pressure, and electrocardiogram patterns. Devices and supporting platforms certified by regulatory or health authorities include pills that track the ingestion of medicaments, neurostimulators that offer relief from chronic pain, and pacemakers with remote heart rate monitoring functions.
  • Automated drug delivery. Connected infusion pumps and smart drug dispensing cabinets in hospitals enable the automated delivery of medication and can be controlled through the internet.

These connected devices could potentially be exploited to malfunction and cause harm to patients. Attackers might also use medical devices as a backdoor to break into hospital networks. Health data breaches are another concern.

Risks go beyond connected medical devices

The convergence with devices that are not necessarily medical, but are used as such, also expands the attack surface. For example, vendors are using Samsung Galaxy and Raspberry Pi to power medical devices as a way to lower costs. This clinical usage poses a security blind spot, especially if your security tool thinks it’s dealing with a tablet, rather than understanding that it might have, for example, an ultrasound component connected to it.

Traditional IT devices such as printers in doctor’s offices and operational technology (think of pressure setting for infection control during surgeries) also pose cybersecurity risks. From check-in kiosks to nurse call systems and defibrillators, patients are surrounded by devices throughout their hospital stay. Another example of the pervasiveness of IoT in healthcare is the increased use of surveillance webcams to help protect physicians and nurses from growing workplace violence.

IoMT device security requires comprehensive asset visibility

Asset visibility is critical not only to increased hospital cybersecurity but also to improved operational efficiency and return on investment. Hospitals can better understand:

  • Where is the device located? When and how is it used?
  • What are the risks associated with the device? Is it patched?

This type of information helps both clinical teams with device utilisation trends and cybersecurity personnel with vulnerability management.

For comprehensive device inventory and visibility, your cybersecurity solution needs to identify all assets in your environment (on and off-network), including those that cannot accommodate security agents. The monitoring needs to be continuous and passive because scans are disruptive and can cause devices to crash.

A comprehensive device inventory generates information such as category, manufacturer, device classification, operating system version, installed applications, connections, activities, risk factors, and more.