Modern healthcare institutions are steadily increasing the digital footprint of medical services. Remotely operated delivery robots bringing patients food and medicines and tiny pill-like scanners that detect anything amiss within the body are already a part of the healthcare ecosystem. Furthermore, the advent of 5G continues to drive the growth of the Internet of Medical Things (IoMT), greatly expanding the use-cases of such devices.
Before COVID-19 brought the world to a halt, the IoMT was already expected to grow 21% year-on-year up to 2025. Today, the digital transformation of healthcare is set to grow faster due to the effects of the pandemic. This includes the rise of remotely controllable and portable medical devices, as well as the demand for self-care gadgets.
Digitisation continues to hold the key to global healthcare transformation. When hospitals struggled with capacity, IoMT instruments allowed healthcare workers to serve more people. All this “smart monitoring” aims to help save plenty of lives. However, is this all too good to be true with no compromises attached?
Sources of cyber security risks
The potential opportunities to leverage the Internet of Things (IoT) in the healthcare sector seems endless, but it has also rendered institutions likely vulnerable to cyberthreats. In a study that we conducted, we found that about 83% of operational medical imaging devices run on unsupported operating systems.
Outdated software programmes may mean new bugs in the system that are not detected and fixed. This can render devices vulnerable and ultimately, compromise the security of sensitive patient data. In dire circumstances, compromised pacemakers or other insertables like internal insulin pumps can lead to complications and even threaten patient lives.
Another challenge with healthcare IoT is that most of the devices don’t incorporate security by design. This then leaves healthcare organisations with the task of figuring out themselves how to keep all these devices safe.
As the number of unregulated and unmanaged IoMT devices increases, so will its diversity and lack of security. Last year, our Unit 42 team looked at 1.2 million IoT devices in use across enterprises and healthcare facilities. They found some crucial information about the security of these devices:
- 72% of healthcare VLANs merge IT and IoMT devices on the same network, and this can allow malware to spread easily
- 41% of attacks benefit from weaker security in devices
The lack of visibility of IoT or IoMT devices on the network also poses a severe issue. Currently, many medical facilities do not have the ability to accurately inventory, manage and update their IoT devices. This prevents them from knowing if these devices have been patched for known vulnerabilities, which leaves the door wide open for attackers to compromise these IoMT devices.
Ultimately, the lack of encryption and usage of unsupported operating systems as well as security by design can all be exploited by attackers using sophisticated technologies.
Consequences of the risk
IoMT vulnerabilities can present an opportunity for cybercriminals to seize control of medical devices and steal crucial patient data, health and insurance information, and clinical records. They can also lead to the disruption of networks, and the failure of healthcare delivery processes. Such actions may be carried out to extract a ransom and other gains.
These attacks can be quite damaging, and their frequency as well as the scale is rapidly growing in the post-COVID world.
Hacking into hospitals and stealing medical records are becoming easier for hackers. In Thailand, a hospital fell victim to a ransomware attack last year, where attackers held their computer systems and data for ransom.
This prevented hospitals from accessing their data and hindered operations relying on manual functions. Late in 2020, a cyberattack took control of thousands of terminals in a French hospital. This caused the institution to revert to pen and paper processes. The bottom line is that it has become easier for cybercriminals to hack into health records.
The sporadic responses to cyberattacks aside, the healthcare industry still does not have a comprehensive approach to deal with ransomware attacks and breaches. The tendency to keep costs low leads to oversight in integrating security measures while increasing IoT usage. This can give hackers easier access to devices ranging from IV pumps to MRI machines.
Here are some nice-to-have capabilities that would help make healthcare facilities and their use of IoMT even more secure.
- Real-time visibility of IoT devices: Visibility of IoMT devices is the first step to a strong defensive posture because we cannot protect what we do not see. Choose an IoMT scanner that can provide a comprehensive and accurate profiling of IoT devices. This accuracy can be obtained by leveraging the knowledge of its entire customer base. Once a new device is identified at one customer, all customers have the profile of that device.
- Intelligent defense-in-depth: An attacker has to pass through multiple security layers before they can compromise an IoMT device. Cloud delivered services such as malware detection, web filtering, DNS security, and data leakage prevention can seamlessly integrate with the IoT security to actively defend against known and unknown threats. The key lies in ensuring that these disparate defense-in-depth measures work together cohesively.
- Continuous vulnerability assessment and prioritisation: Machine Learning (ML) can be used to continuously evaluate behavioural patterns from IoMT devices from baselines established over time as well as patterns seen from similar crowdsourced devices. Unusual behaviour elevates a risk score, which helps with prioritising remediation efforts. For HDOs (Healthcare Delivery Organizations), this assessment includes Manufacturer Disclosure Statements related to antivirus capabilities, ePHI, FDA recalls and vendor patching information of the Medical Devices. The information is subsequently used to create flexible trust-based policies which can allow or deny device behaviour. All changes to the policy are automatically updated and activated.
IoMT will continue to disrupt the healthcare industry. As 5G technology expands the use cases of IoMT, the ability for a cyberthreat to impact lives and the critical operations of an HDO grows exponentially. Medical institutions must look into all potential exposure to security threats. This ensures that new technologies’ vulnerabilities are not exploited, and that patient data remains secure.
Securing the IoMT starts with gaining complete visibility and turning unmanaged devices into known entities. Next, develop a defense-in-depth approach to segregate and protect your consequential IoMT devices. Leverage the power of ML and cloud-delivered services to bring intelligence and cohesion to your defensive layers across locations like hospitals, data centres, user endpoints, remote clinics, and mobile devices. Last but not least, develop a real-time risk assessment mechanism to continuously address the vulnerabilities of your IoMT ecosystem.
These measures will equip healthcare IT teams to better protect their medical devices, which leads to better care for patients and most importantly, millions of lives saved through a digitally trusted healthcare ecosystem.
Ian Lim is the Field Chief Security Officer – Asia Pacific at Palo Alto Networks.