Closing the IoMT Knowledge Gap Between HTM and Cybersecurity

Healthcare delivery organizations (HDOs) are increasingly reliant on Internet of Medical Things (IoMT) devices to enhance the patient care experience. However, the boom of IoT device integration in hospitals and healthcare facilities is a double-edged sword, as despite the numerous benefits, these devices often create cybersecurity risks. The challenge of securing IoMT devices often falls to healthcare technology management (HTM) teams, who are trained primarily in biomedical engineering, not information security.

Many HTM teams can calibrate IoMT devices but may struggle with more advanced and ever-evolving cybersecurity issues, such as identifying indicators of compromise or understanding how cyber threats propagate across networked devices. Bridging the HTM knowledge gap is essential to ensure the continued adoption of IoMT while safeguarding HDOs against cyberattacks.

Evolution and Impact of IoMT Devices on HTM Teams

IoMT devices have redefined healthcare. HDOs can now offer more personal, enhanced care, including real-time patient monitoring and remote care for more precise, personalized medical treatments. Unfortunately, IoMT devices are inherently insecure, as these devices lack robust security controls, and many use old, outdated software vulnerable to cyberattacks. 

As cyber threats continue to evolve, HTM teams are playing a more active role in the security of IoMT devices. Instead of overseeing and maintaining standalone medical devices, HTM teams are often responsible for implementing robust cybersecurity controls to protect IoMT devices. Many HTM teams are staffed by biomedical practitioners with limited cybersecurity knowledge or expertise. This creates knowledge gaps when HTM teams are unaware of emerging attack trends.

To help address the knowledge gap and combat cybersecurity risks in healthcare, in 2023, the Department of Health and Human Services (HHS) established Voluntary Cybersecurity Performance Goals for the healthcare sector, emphasizing the importance of basic cybersecurity training within healthcare organizations.

As HDOs continue to adopt IoMT devices, their attack surface expands—placing greater responsibility on HTM teams, making it crucial to address the cybersecurity knowledge gap. For example, an HTM team that lacks cybersecurity expertise may not understand how a vulnerable infusion pump could become an initial access point for a cyberattack. A large hospital can have hundreds of infusion pumps, creating multiple opportunities for a malicious actor to gain a foothold and move laterally within the network.

Difficulty Assessing At-Risk Devices

Data shows that the average hospital has from 10 to 15 connected medical devices per bed. Many IoMT devices are highly mobile—infusion pumps, patient monitors, EKG machines, and more—making them challenging to track and secure.

IoMT risk management is a challenge for many reasons. At 10 to 15 devices per bed, a large hospital can easily have hundreds of devices from multiple manufacturers, and each device must be tracked, monitored, and secured. This sheer volume and diversity complicates not only device visibility but also the process of securing and maintaining devices over time.

Vulnerability management and IoMT device patching are challenging even for traditional IT assets; this difficulty is only magnified for IoMT devices. Device manufacturers don’t always send out alerts for patches and updates, and many IoMT devices operate EOL software, making patching challenging. Additionally, HTM teams may struggle with remediation prioritization or applying patches uniformly across all devices.

HTM teams don’t need to shoulder the full burden of managing IoMT device risk alone—managed cybersecurity services can provide critical support. These services can help identify every connected device on the network, assess and mitigate associated risks, and streamline vendor management. Since HTM teams often have a hand in vendor relationships and capital expenditures, having accurate risk data makes it easier to justify keeping devices in service. This helps reduce unnecessary replacement costs and positions HTM as a strategic partner in hospital decision-making.

Challenges with Cybersecurity Tools

HTM professionals are primarily trained to maintain functionality and patient safety, not manage digital threats. Recognizing this, some professional organizations, such as the Association for the Advancement of Medical Instrumentation (AAMI), have begun offering courses to address the skill gap. Data show that, historically, healthcare organizations have invested 6% or less of their IT budgets in cybersecurity, and even then, many cybersecurity tools aren’t designed for medical devices. Some tools, like vulnerability scanners or EDR agents, can crash or interfere with IoMT devices. Many connected medical devices also lack traditional UIs, and some use proprietary protocols, which can make auditing, policy creation, and device configuration challenging. While many healthcare organizations are taking steps to address cybersecurity risks, HTM teams still lack experience with cybersecurity tools.

Compliance Focus vs. Risk Focus Challenges

While many healthcare delivery organizations (HDOs) are advancing their cybersecurity posture by adopting frameworks like the NIST Cybersecurity Framework 2.0 and Health Industry Cybersecurity Practices (HICP), HTM teams often operate under different priorities. Traditionally, HTM has focused on ensuring device safety, performance, and adherence to regulatory standards such as those from The Joint Commission, FDA, and ECRI. These frameworks emphasize patient safety and operational continuity but don’t always align directly with modern cybersecurity requirements.

As a result, HTM teams may face challenges when tasked with applying governance and risk-based cybersecurity controls to their fleet of IoMT devices. Without targeted training and cross-functional alignment, HTM teams may struggle to map cybersecurity best practices to the realities of IoMT device maintenance and lifecycle management, leaving potential gaps in compliance and exposing HDOs to unnecessary risk.

How to Augment Cybersecurity Expertise with IoMT Security

As HDOs continue integrating IoMT into their businesses, leveraging an IoMT security solution becomes critical to managing device security risk. It also has numerous benefits for HTM teams and can help them upscale their cybersecurity expertise.

An IoMT security solution simplifies some of the most challenging aspects of mitigating device risk, providing teams with robust device visibility and monitoring and simplifying vulnerability remediation and patching. Additionally, HTM teams may opt to partner with an IoMT security vendor that not only supports day-to-day risk reduction but also helps teams build cybersecurity expertise through managed services, bridging skill gaps while strengthening the organization’s overall security posture.

Notably, vendor selection can be challenging for many organizations. Leveraging an IoMT Security RFP Template can help facilitate the selection process and help HTM teams start on the path of up-leveling their cybersecurity knowledge.

Scale Your HTM Cybersecurity Expertise with Asimily 

HTM teams are on the front lines of device management, juggling safety, compliance, and uptime. But cybersecurity expertise doesn’t have to be a knowledge gap or even a hurdle. Teams can get the cybersecurity resources and support they need to ensure IoMT devices remain online, operational, and, most importantly, secure. 

Asimily’s breadth and depth of IoMT platform capabilities and expertise in device risk management make it uniquely qualified to help HTM teams manage risk end-to-end across the entire network. Asimily’s Risk Reduction Services team helps HTM teams scale their understanding of cybersecurity. Teams that partner gain a critical understanding of not only IoMT risk management but also capital equipment planning, helping shift HTM teams from a cost center to a value driver within the hospital. Asimily’s Risk Reduction Services team can also mentor HTM team members through active risk reduction exercises like tabletop exercises.

Interested in learning how Asimily can help your HTM team scale their cybersecurity expertise? Reach out now to book a demo.