IoT Medical Device Security: Threat Detection and Incident Response Best Practices

Now more than ever, the Internet of Medical Things (IoMT) has proven crucial for modern healthcare, with an ever-increasing number of medical practices using IoMT devices. Unfortunately, this has made healthcare an increasingly tempting target for cybercriminals, and they remain one of the most vulnerable targets for cyberattacks. Even one of the largest healthcare providers suffered a $100 million loss due to an unanticipated security breach and slow incident response.

Experts cite a lack of fundamental “cybersecurity hygiene” – such as weak authentication methods, default password hashes, and vulnerable backdoors – as the primary cause of most security incidents. Strengthening anomaly detection and improving incident response times can help ramp up your IoMT security. Below we’ll discuss incident response best practices you can implement today. 

Aligning Policies and Operational Workflow With Cybersecurity

IT professionals in healthcare facilities must be ready to fight against cyberattacks at any time. Integrating preparedness into your operational workflow is an absolute must to shield your IoMT devices against would-be hackers and malware. Thorough system audits help you discover gaps in your security and take proactive steps before something terrible happens.

A facility’s first line of defense is its information system (IS) architecture. Your IS protects your larger IoMT infrastructure against attacks by reducing the impact on core functionalities. IT teams must work with facility leaders to schedule routine system evaluations to mitigate cyberattacks and reduce their impact on core functionalities.

Detecting Suspicious Activities
Regularly monitor and detect any suspicious activity that could indicate the beginning of an attack. This evaluation is crucial to fight back sooner, as it will categorize attacks based on your existing policies. A truly robust IoMT security system should:
  • Compare device baselines against a control model to identify abnormalities
  • Tailor policies to your unique network, making it more difficult for hackers to avoid detection
  • Combine crowdsourcing intelligence, machine learning, and threat modeling to detect attacks and provide proactive solutions
  • Provide SIEM and SOAR integration through a simplified playbook-based approach
  • Work in tandem with active IoT security researchers to identify threats

Asimily provides policy management at a granular level, allowing you to set up alerts for specific incidents and tailor their policies based on particular attributes of their network of IoMT devices. This makes it quicker to hone in on unusual activity in your network and greatly reduce incident response times.

Investigating Suspicious Activities and Threats
Once you’ve identified threats, it’s time to dig into the details. IoMT security solutions must respond rapidly to cybersecurity incidents while logging critical characteristics of the breach to bolster the investigation. Any security solution you employ must:
  • Determine which IoMT devices communicate with one another and when to track cyberattacks within the network of communicating devices
  • Understand the protocols your systems and devices are using to recognize anomalies
  • Track how much data your devices transfer—before, during, and after the attack
  • Be able to run packet captures on the network to read device traffic and collect data
  • Provide clinical and biomedical teams with operational intelligence

With Asimily’s Distributed Sniffer, network analysts, and SOC teams can expedite incident response times by detecting, investigating, and responding to costly cyber attacks automatically or on demand, saving millions in lost data.

The Distributed Sniffer allows healthcare networks to capture data continuously on an arbitrary or pre-programmed interval. This information helps inform security officers to accurately and immediately identify a breach.

Responding to Cybersecurity Attacks

Not all cyberattacks are created equal. Once your team identifies and thoroughly understands the threat, flush it from your systems.

First, isolate any suspected devices to determine if an attack actually took place. Prevent any remote access C2 traffic hackers might establish during the attack and determine if users accidentally triggered a credential-theft phishing campaign. If so, change the associated credentials immediately. Once you’ve isolated the affected devices, it’s time to eradicate all traces of the attack, including its foothold. 

Asimily strategizes remediation with a unique take on the 3-step standard process for incident response to reduce the overall impact on your services. First, they attempt to patch any vulnerabilities in the system that may have allowed hackers entrance into your devices. If patching alone is not an adequate or cost-effective solution, it’s time to shift toward exploring vector mitigation. As a last resort, they turn to network segmentation to reduce the risk of a breach.

Recovery and Analysis: Post-Incident Processes

Your recovery time depends on the severity of the cyberattack. You can take steps to make immediate repairs, but getting the entire system back on track will take time. Remember, complete system restoration does not occur instantly and can be a very vulnerable time for your system Departments must keep their eyes on operational safety while IT does its job.

After a cyberattack, it’s vital that IT teams gather as much data as possible on the breach through thorough forensic and post-incident analyses. This helps uncover evidence to improve security measures, policies, and staff training. With this data in hand, your organization can update current processes to shorten incident response times during future attacks and better protect your devices.

However, just because you beat back one attack doesn’t mean another isn’t around the corner. Conduct regular preparedness and mitigation exercises to prepare your team for the next assault and identify any gaps in your security.

It’s also important to consider recovery as an extension of downtime. As IT works to restore your systems, use this opportunity to assess the degrees of functionality and whether they benefit or hinder operations. For example, are any absent capabilities hindering workflow if the system only functions in a limited capacity?

Next, begin the process of converting any paper documents back to digital format and ensure you have enough staff to provide continued support. Consider reaching out to vendors for help in recovering biomedical records and resuming suspended in-patient procedures.

Implementing Preparedness and Mitigation Exercises

Once you’ve updated your strategies, it’s time to put them to the test with regular exercises. Performing well during these trials ensures your stakeholders, vendors, and EMPs that your facility is prepared for another cyber attack.

Consider the Homeland Security Exercise and Evaluation Program (HSEEP) as a blueprint for evaluating the strength of your current systems. Some proactive measures can include:

  • Developing and testing an array of scenarios with varying severity
  • Hire a white hat to stress-test your systems
  • Leaning on a third-party IT specialist team to evaluate your strategies
  • (Re)training staff members on paper charting and manual practices in case the digital system goes down again
  • Simulating in-house communication crises—such as how to respond if phones, email, or pagers go down—as well as public-facing situations, like fielding news media and patient concerns in a crisis
Anomaly Detection & Incident Response: Best Practices for IoT With Asimily

There is no avoiding cybersecurity attacks. Vulnerabilities, frustrations, and breaches are inevitable. Healthcare organizations simply need the tools to facilitate a healthier, faster response—tools like Asimily. 

Asimily’s approach to IoMT incident response and anomaly detection allows for more accurate findings and data-backed security measures than the standard 3-step process. This includes:

  • New and emerging threat detection with custom policy management at a granular level to target every healthcare organization’s specific needs
  • Full, proactive investigation into an attacker’s actions and primary targets with Distributed Sniffer
  • Rapid response and immediate quarantining of compromised devices

If you want to learn more about Asimily’s approach to incident response for IoT, make sure to watch our webinar on managing anomalies and incident response.

To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.