Five Essential Outcomes from a Risk Mitigation Project in IoMT

Internet of Things (IoT) devices and Internet of Medical Things devices (IoMT) are rapidly becoming both a business norm and a security nightmare for HDOs. IoMT devices are notoriously challenging, as no official security standard exists for them. As threat actors continue to target these devices, legislative bodies and standards organizations add new IoMT risk mitigation requirements. While organizations that deploy IoMT devices need to improve their management and governance, manufacturers still lag when providing security patches for firmware. 

In the past few years, many hospitals that leverage IoMT devices have felt the strain of implementing the appropriate security controls and risk management processes. Despite a global tide of digital trust labels that seek to hold manufacturers accountable, these certifications remain primarily voluntary. Simultaneously, many emerging industry standards require organizations to implement additional IoT security oversight. The healthcare industry alone has three standards or certifications that healthcare delivery organizations (HDOs) need to consider.

As HDOs implement IoMT risk management projects, understanding what they are, what risks to consider, and how to measure success is critical. 

What is the Risk Management of IoMT?

IoMT risk management includes identifying and reducing risks linked to the security vulnerabilities of network-connected medical devices. Some key strategies for IoMT risk management programs include:

• Device Security: Secure device configurations with strong passwords and encryption keys.
• Network Segmentation: Use separate networks for IoT devices to limit potential threats.
• Monitor Suspicious Activity: Set up real-time monitoring to catch unusual behavior.
• Regular Security Patches: Keep connected devices updated to address security issues.
• Third-Party Risk Management: Evaluate and manage risks from third-party vendors in your IoT environment.

What are Some Key IoMT Security Risks that Organizations Need to Consider?

As an organization implements an IoMT risk mitigation program, it should consider how to manage some of the following key issues:

• Technical Vulnerabilities: Poor authentication and outdated firmware create security weaknesses.
• Insufficient Security Patches: Without regular updates, devices remain exposed.
• Open-source Components: Without proper vetting, these can harbor critical vulnerabilities.
• Clear Text Data Transmission: Sending data unencrypted can expose it to unauthorized access.
• Exposed Network Services: These services can serve as entry points for cyber threats.
• Lateral Movement: Compromised devices may allow attackers to move across networks.
• Escalated Privileges: Once inside, attackers can gain higher access, posing more security challenges.

5 Essential Outcomes for Measuring an IoMT Risk Mitigation Project’s Success

Building an IoMT risk mitigation program is challenging, especially when organizations already have budgetary constraints and limited staffing. As part of the process, organizations need to know what success looks like and how to appropriately measure it. 

1. Build a Dedicated Team for Managing IoMT Risk

Creating a cross-functional team is critical for managing IoMT security risk. At a minimum, the team should include representatives from:

• Security
• IT, like the people responsible for mobile device management (MDM)
• Network management
• Infrastructure
• Vulnerability and patch management
• Compliance
• Senior leadership

In specialized industries, the organization should consider other internal stakeholders. For example, an HDO might need to include:

• Healthcare technology management (HTM) 
• Biomedical management
• Clinical teams

For teams who need additional support, working with a specialized IoT device security managed services provider can offer the staff augmentation necessary without requiring the company to add a new full-time employee. 

2. Implement Targeted Risk Controls

Every organization’s IoMT security risk is different because no two companies have the same system architecture. Some key risk controls to consider include:

• Targeted network segmentation: grouping IoMT devices based on similar risk profiles or attack vectors for easier monitoring and management
• Device hardening: implementing secure configurations, including disabling unnecessary functionalities and network connections
• Vulnerability scanning: using a passive network scanner that understands normal and abnormal traffic patterns to identify vulnerabilities without impacting device operations
• Remediation prioritization: identifying and fixing high-risk vulnerabilities either by deploying patches or implementing compensating controls, like limiting network connectivity

3. Implement MDM Across IoMT Devices

Traditional MDM identifies and manages mobile devices across their entire lifecycle from procurement through retirement. IoMT devices are mobile since they move around the organization’s physical spaces or campus. However, they are not traditional “mobile devices,” like smartphones or tablets. 

To manage IoMT devices in the same way that the organization manages workstations or mobile devices, the MDM capabilities should include:

• Modeling and simulating an IoT device’s impact on security during procurement
• Identifying new IoT devices when they connect to networks
• Classifying IoT devices based on risk and impact
• Using device metadata to document configurations, components, and applications  
• Integrating IoT device data into the larger inventory source of truth, like a configuration management database (CMDB) or computerized maintenance management system (CMMS)

4. Continuously Monitor for New Risks and Threats

A robust IoMT security risk mitigation project should have continuous risk and threat monitoring built into it. Attackers evolve their methodologies, meaning the controls in place today may not be as effective tomorrow. As part of managing IoMT risk, organizations should have a way to:

• Identify normal IoT device communications and network traffic activity
• Identify abnormal traffic that can indicate communications with a command and control (C2) server, like connecting to known risky geographic regions or IP addresses
• Incorporate threat intelligence, like leveraging data from the Exploit Prediction Scoring System (EPSS) or the known exploited vulnerabilities (KEV) list
• Receive alerts about abnormal IoMT device activity
• Quarantine devices that trigger security alerts
• Capture packet data to use for forensic analysis
• Integrate IoMT device data into the organization’s larger security monitoring, like connecting it to the security information and event management (SIEM) solution

5. Assign Responsibility and Improve Governance

For organizations in highly regulated industries, like healthcare, compliance is critical to ongoing operations. For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 incorporates a Governance function that requires organizations to assign roles, responsibilities, and authorities for managing security. 

To meet governance requirements, organizations need to assign responsibilities for tasks like:

• IoMT device asset management 
• Identifying of high-risk vulnerabilities
• Implementing remediation activities
• Identifying anomalies
• Creating mitigation plans
• Building security program playbooks
• Responding to anomalies
• Developing and reporting key performance indicators (KPIs)

Asimily: Technology and Services to Augment IoMT Risk Mitigation Projects

Asimily is purpose-built to manage IoMT devices so that organizations have visibility into and control over their fleets. Our platform provides context, taking into account vulnerabilities and the IT environment, so organizations can mitigate risk more effectively. 

Our Customer Support Team enables organizations to augment their current staffing with deep knowledge about IoMT risks and how organizations can architect and manage secure systems. With Asimily’s managed services, organizations can understand where they are in their ability to operationalize our solution. By partnering with our team, organizations get boots on the ground who can help uplevel current staff and collaborate more effectively across all internal stakeholders, including HTM vendors. 

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.