The healthcare industry is experiencing a rapid increase in cyber attacks, with reports of malicious activities almost doubling from 2020 to 2022. According to the latest research by Cybersecurity firm Emisoft, at least 24 major healthcare systems were attacked in 2022, affecting hundreds of hospitals.
The hackers behind these incidents aim to disrupt operations and steal sensitive patient data. Their techniques are becoming more sophisticated, making it harder for IT security teams to keep up. As a result, healthcare organizations need a comprehensive IoMT security program to protect their patients and assets effectively.
Critical Vulnerabilities in Healthcare: Why Immediate Attention is Needed
The healthcare industry is especially vulnerable to cyber threats due to its large budget, expansive device fleet, and reliance on external manufacturers. Upgrading an IoMT device presents unique challenges that do not exist in other cybersecurity sectors.
Many IoMT devices are outdated and lack security features such as encryption or multi-factor authentication, making them easy prey for hackers. Installing a patch fixes many vulnerabilities, but device patches are only available through the manufacturer, who must test to ensure they’re safe for download.
The process minimizes compatibility issues, but it’s slow and unreliable. Often, a new device patch is never released despite known security flaws.
When an upgrade is possible, hospitals must worry about limiting downtime. Device interruptions affect patient care and a physician’s routine. For instance, 2022’s CommonSpirit Health ransomware attack led to canceled surgeries nationwide.
A robust IoMT security plan must address the technical vulnerabilities that make healthcare systems attractive targets and the operational hurdles posed by limited or no downtime. Healthcare organizations need to prioritize IoMT security and create a safety culture that protects patients and maintains continuity of care.
Why Traditional Security Measures Aren’t Enough
Due to the challenges inherent in securing IoMT devices, traditional security measures are insufficient.
For instance, scanning devices for signs of intrusion or corruption is a routine practice in IT, but doing so to patient medical devices could cause safety issues. Unverified patches could remove vulnerabilities, but installing one risks the device’s warranty. Hospitals can’t afford this outcome, as a standard device like an ultrasound machine can cost more than $200,000.
One security concept that remains unchanged within healthcare is Zero Trust. Zero Trust requires all devices and systems, regardless of location, to authenticate their identity before granting access. It shifts the focus away from traditional perimeter-based defense models to more proactive approaches such as micro-segmentation, privileged access management (PAM), endpoint detection and response (EDR), and device-level encryption.
Zero Trust principles should get integrated into your IT strategy. However, zero trust can’t be your only solution. Hospitals need comprehensive security to defend against modern hackers fully.
Fighting Threats in Healthcare Goes Beyond Zero Trust
Zero Trust has a few downsides. In addition to not entirely eradicating your risk, Zero Trust is hugely resource-intensive. Your hospital may not have the means to enact and maintain a Zero Trust policy.
The best approach for hospitals is to combine traditional measures with proactive ones, such as IoMT security. This form of protection focuses on the device rather than the network, and it’s tailored specifically to healthcare environments. A holistic IoMT security plan protects your patients, network, and devices from cyberattacks.
At Asimily, we believe that this plan comprises eight distinct steps. As one step becomes impractical, we move to the next one. Don’t miss out on the insights in the Cybersecurity IoMT Webinar Series, where Sr. Director of Solutions Engineering Luke Smith dives into these 8 Steps further! Watch it on demand now.
To adopt an IoMT security strategy, hospitals should assess their existing infrastructure to identify potential vulnerabilities. Then it’s crucial to prioritize risk management and detail how to respond to threats. Hospitals should also consider investing in specialized software designed specifically for healthcare.
An IoMT security plan is an investment in the future of your hospital and its patients. Strategic implementation of this approach will benefit everyone involved, from administrators to frontline staff and even the patients themselves. Learn how to remediate cyber risk in your medical devices by downloading our step-by-step guide now.
Implementing a Holistic Approach
We recommend the following eight steps to implement a holistic approach to IoMT security.
Patching, which is regularly updating connected medical devices with the latest software, reduces risk and prevents attacks. The best way to stay in the loop when relevant patches are released is to cultivate industry and manufacturer connections.
Manufacturer delays in issuing patches can have serious consequences. As of 2022, regulations were passed as part of the Omnibus Spending Bill to lessen this problem. The rules require manufacturers to commit to providing continuous patches and upgrades for their products. This measure aims to ensure that medical devices remain secure and protected against potential cyber threats.
Macro-segmentation is a way to divide large networks into smaller subnets. This effort improves security by limiting the spread of malicious attacks or unauthorized access. In IoMT, it’s essential to apply this technique to protect medical devices from intrusion.
For example, it’s common to segregate IoMT devices to their own network, drastically reducing their contact with questionable endpoints. Devices that handle a lot of traffic, such as laptops and desktop computers, should be placed in their own segment as well. If an employee clicks on a bad link or accidentally downloads malicious software, macro-segmentation will prevent the damage from spreading to critical devices.
Device hardening is a process of making medical devices more secure. These changes apply to specific devices rather than the network as a whole.
Best practices for hardening include limiting access to privileged accounts and changing default settings. Actions as small as adding password protection can have a positive effect. For instance, if a patch is not available for an older device, hardening techniques can protect it until one is released.
Targeted segmentation is the practice of isolating vulnerable devices to minimize a potential attack’s damage radius. It’s used when patching, and macro-segmentation are impractical or have failed to protect the network.
When practicing target segmentation, it’s essential to identify which devices are most likely to be attacked. Asimily can help with this step. We can provide data-driven reports detailing major vulnerabilities associated with your devices.
Devices that are critical for safety or hospital operations should use a segmented network. For instance, at Chicago’s Riverside Health, insulin, and intravenous pumps are isolated.
Micro-segmentation is a type of intra-network segmentation used when macro and targeted segmentation are not enough. It uses software-defined policies to divide a network by device, restricting lateral movement even further.
Micro-segmentation should be used with caution. It can significantly reduce the attack surface area but requires a great deal of setup and maintenance. Unnecessary segmentation can also cause confusion.
An example of micro-segmentation successfully stopping an attack is the Wannacry ransomware incident. In 2016, a vulnerability in Windows allowed Wannacry to spread rapidly worldwide. Protected networks were able to stop the spread by leveraging micro-segmentation.
Upgrade or Replace Devices
Upgrading devices can be a multi-faceted decision, but choosing to do so can be a crucial tool in defending against IoMT attacks.
When considering an upgrade or replacement, evaluating the cost-benefit ratio is important. Upgrading can be costly and time-consuming, but it may be worth the investment if it provides additional protection from threats without sacrificing function. However, this is rarely the case. Replacing IoMt devices is a last-resort option because it usually isn’t cost-effective.
Best practices and strategies for replacing devices include ensuring compliance with industry standards and regulations and testing for compatibility with other systems.
Accept the Risk
Sometimes, the risk of an IoMT attack cannot be remediated. In these cases, you must accept the risk and focus on mitigating damage rather than prevention. This acceptance could mean creating a plan for responding to attacks.
For instance, if a hospital’s budget is too tight to upgrade or replace a vulnerable device, they may decide to focus on monitoring instead. If a problem does occur, the IT department can be alerted immediately.
In 2020, researchers found that 83 percent of medical imaging devices rely on outdated operating systems that cannot be updated, even if hospitals wanted to.
Mitigate Medical Device Cyber Risk with Asimily
Asimily understands the importance of medical devices for a healthcare organization’s success. We provide insights and tools to help secure IoMT networks. Our platform continuously scans for vulnerabilities, provides detailed reports, and helps protect against attacks with various defenses.
Our precise inventory management system provides complete visibility into IoMT networks. We can help you track, identify and manage vulnerable devices. Real-time alerts get sent when suspicious activity is detected, allowing IT teams to respond quickly and limit the damage from an attack.
By leveraging Asimily’s cyber risk management tools, medical organizations can protect their networks and shield the safety of their patients. Schedule a consultation with an Asimily expert to see how you can defend your hospital systems against ransomware and malware attacks with our leading risk management platform for Internet of Medical Things (IoMT).