Securing medical devices without increasing burden

The enterprise IoT (Internet of Things) market will represent a US$58 billion dollar opportunity in 2025, as per Gartner. It is no understatement that IoT has arrived in the enterprise in a really big way.

In the healthcare industry, medical IoT has been a catalyst of change geared toward lessening the burden on healthcare systems and creating new capabilities for the industry. Medical IoT, through its ability to transfer medical data, is playing a role in promoting digital transformation across the healthcare industry.

The benefits of securing medical IoT devices are multifold: improving the delivery of care, increasing patient engagement, and providing better support for remote care. However, in far too many cases, organisations are unaware of all the devices they are using or the potential risks these devices may pose.

An unknown and unmonitored device in the corporate LAN represents a potential attack vector that can put an organisation at risk. Furthermore, the threat scenarios are critical in the medical devices industry. For example, according to Palo Alto Networks’ Unit 42 — a threat intelligence and security research team — an alarming 75% of smart infusion pumps examined in the networks of hospitals and healthcare organisations were found to have security vulnerabilities. This makes security devices an attractive target for cyberattacks, potentially exposing patient data and ultimately putting patients at risk.

Typically, healthcare enterprises want to support medical IoT devices in the network while ensuring that device security does not impede productivity or add additional strain on IT security resources. Striking a balance between these two goals is crucial.

What does it take to secure medical IoT devices?

The healthcare industry has consistently been a target for data breaches over the past 12 years (2010-2022), with the highest average cost per breach compared to other industries. Connected medical devices are particularly attractive to attackers, as they can hold hospitals ransom through ransomware attacks or steal sensitive patient health information stored on the devices

The vulnerabilities of IoT devices are further exacerbated by the fact that 98% of all IoT traffic is unencrypted. This means that if an IoT device sends information over a private network or the public internet, it is transmitted in plain text and can be easily viewed by anyone.

IoT devices that transmit unencrypted data pose a significant risk of sensitive information being compromised in a data breach. In the healthcare setting, connected clinical and operational IoT devices are essential for tasks such as patient monitoring and office systems. However, these same devices also increase the potential for attacks, as they present a vulnerable entry point for cybercriminals seeking to infiltrate the hospital network.

To better understand the risks, the following 5 L‘s are handy. 

  • Large quantity: There is a large and growing number of IoT and medical IoT devices.
  • Large variety: There is a large variety of protocols and technologies used in medical IoT.
  • Lack of self-protection: For the most part, IoT devices are exposed and do not protect themselves.
  • Larger risks (as the attack surface is increased): Without encryption and with unprotected access, medical IoT expands the attack surface within healthcare organisations.
  • Long lifecycle: Medical IoT devices often outlive the supported update cycle from a vendor, meaning there can be a lot of older, unsupported medical devices in a network.

Removing the burden

The inability to monitor and manage connected medical devices undermines the ability to fully understand the attack surface. Undetected vulnerabilities pose unknown threats because of a lack of information about the devices. The first step in reducing the risk posed by unmanaged medical IoT devices is to gain visibility into what is on the network. This requires answering questions such as:

  • What devices do we have?
  • Are they functioning as intended?
  • Can we trust these devices?

It is important to note that traditional network scanning also poses a risk, as it can disrupt or even damage critical operational technology equipment. Given the diverse range of medical IoT devices, it is not always possible to easily identify and categorise all devices, presenting a significant challenge for medical device management.

The traditional manual approach of creating policies to regulate the actions of devices on a network is both time-consuming and prone to errors. As the number of medical IoT devices grows, it becomes increasingly difficult to manually generate policies for each device. This is where machine learning can be of great benefit. By reducing manual processes, full visibility into the network can be obtained, allowing machine learning algorithms to identify risky behaviour and differentiate it from normal activity. These insights can then be used to create automated policies that secure medical IoT devices within the healthcare infrastructure, reducing the risk associated with their adoption.

By utilising a policy informed by the actual behaviour of medical IoT devices on the network, the next step is to enhance security by combining this policy with a comprehensive set of cloud and on-premises security services. This will help defend against known and unknown threats that target medical devices and ultimately achieve the goal of full protection.

In essence, adopting a thorough zero-trust cybersecurity approach that constantly assesses and safeguards the security status of medical devices can aid healthcare organisations in their digital transformation efforts, resulting in improved patient care outcomes while maintaining patient data confidentiality and meeting regulatory requirements.