IoT Medical Device Security: A Comprehensive Approach to Vulnerability Management
By Jeremy Linden, Sr. Director of Product Management, Asimily
The Internet of Medical Things (IoMT) — an extension of the Internet of Things device ecosystem — has proved revolutionary for many healthcare workers. However, along with their benefits, they also come with unique vulnerabilities that need accounting for. Healthcare providers relying on IoMT need to balance security and device availability for patient care.
Mitigating risks often involves disabling or limiting certain features. But limiting too much might impinge on the benefits for patients using these devices. On the other hand, without any restraints at all, these devices remain exposed to bad actors. Finding the middle ground to meet both these needs demands a new take on medical device vulnerability management.
As cyberattacks become more common, health delivery organizations (HDOs) need a smart solution to increase trust in the system. Thankfully, IoMT security solutions providers, like Asimily, can help you assess and remedy at-risk devices — so you can focus on building a robust, comprehensive medical device vulnerability management program.
Why are IoMT Devices More Difficult to Secure?
IoMT devices can prove much more difficult to protect than other IT infrastructures. Patching medical devices in the same way as other hardware is challenging due to regulatory constraints. These devices sometimes run outdated software—which, when paired with the lackluster policy choice by device manufacturers, threatens your security efforts even more.
And as IoT medical devices continue their expansion in the market, the challenges will only compound. Connected machines working years after installation may lack vital security features. Network connectivity can fail, even with lives on the line. Meanwhile, human error remains an important risk factor in technical and medical activities.
What Are the Solutions? Responding and Remediating At-Risk IoMT Devices
If an unprotected medical device poses a threat, network isolation may limit the blast radius of an attack. However, this first line of defense doesn’t solve the security risk on its own. To protect against exploits, you need comprehensive vulnerability management across your entire IoMT ecosystem.
Passive or Active: Which Approach Is Right For You?
Vulnerability management tends to follow one of two dovetailing technical approaches: passive and active detection. Passive monitoring entails continuous inspections of packets traveling over the network. The monitoring identifies which software applications are running on the network and extracting information from the traffic. It can then infer any vulnerable components. Meanwhile, active scanning initiates network traffic and analyzes responses.
Passive and active monitoring serve different purposes at different times but can also go hand-in-hand in a more comprehensive medical device vulnerability management strategy — as long as you understand the virtues and weak points of each. Using a passive IoMT platform as part of a layered security policy lets healthcare facilities prioritize and respond to multiple threats simultaneously. Your organization can assess and remedy problems in order of maximal importance as they crop up.
Medical Device vulnerability management requires an accurate assessment of potential weaknesses, underpinning your robust IoMT ecosystem oversight solution. To do this, IT experts and health care staff identify the full range of IoMT devices and their supporting hardware, then monitor the assets for risks over time by tracking metrics like mean time to resolution (MTTR).
When thinking about IoMT vulnerability management, it’s important to understand that not all vulnerabilities are created equal. IoMT devices behave in significantly more constrained ways than traditional IT infrastructure, like laptops and desktops, and in many cases, a vulnerable component may not be used during typical operation.
Because of these nuances, a single vulnerability score, such as Common Vulnerability Scoring System (CVSS), may not accurately capture the severity of the vulnerability in your environment and your devices. This makes running an exploit analysis that simulates the paths an attacker could use to compromise a device key to effective prioritization. This analysis should take into account the exploit vector, as well as any mitigations either on the device or on the network, that might affect its exploitability.
Prioritization is key when it comes to addressing IoMT ecosystem vulnerabilities. Certain IoMT devices have an outsize impact on patient safety, data, and business operations. For example, if someone’s life depends on a device, it’s critical to secure this before attending to other devices. There are simply too many connected devices and security flaws to give each one full attention. By focusing your efforts where they matter, you can prevent the most serious vulnerabilities from becoming crises.
How should you prioritize?
Sort vulnerabilities based on both likelihood and impact. Likelihood measures the exploitability of the vulnerabilities on the specific device in question. Not all vulnerabilities are equally exploitable— in other words, likelihood gives you insight into how likely the device can be successfully exploited.
Impact, in turn, measures the degree of impact that a successfully exploited device would have on the healthcare organization. This includes the following scenarios:
- Patient impact: a device goes offline that keeps someone alive
- Data impact: someone’s Patient Health Information (PHI) gets stolen
- Business impact: a high-value device is offline, and a hospital has to cancel scheduled procedures
Likelihood and impact have a multiplicative effect on your risk, so they are an equally important consideration. Put simply: risk equals likelihood times impact. Exploitability and impact analyses can assist in prioritizing these high-value targets, as well as using the CVSS.
The CVSS provides a generic vulnerability severity score; however, it is not customized for individual devices and the exploitability of the vulnerability on those specific devices. As such, these scores shouldn’t be used in isolation. They’re pieces of a greater whole.
Asimily incorporates device-specific information to give you a more useful assessment. Relevant factors are given weights, filtering the vulnerabilities according to potential severity and impact. Then your organization can mitigate threats intelligently.
Now that you’ve prioritized the threats, it’s time to fix them. Asimily takes a multi-pronged management approach to address vulnerability remediation according to healthcare provider needs.
Remediation can take several complementary forms: patching software, applying workarounds, changing device configurations, and—if all else fails—segmentation. This armada of medical device vulnerability management strategies protects against attacks beyond the default segmentation strategy alone.
Patching is the least intrusive, quickest way to fix security flaws; however, IoMT devices are more difficult to patch than traditional IT infrastructure. Patching these devices involves navigating regulatory and patient safety constraints, unsupported operating systems, and other challenges.
Asimily makes it easy to find workarounds and configuration changes that mitigate security risks when patching isn’t an option. And when the other solutions don’t suffice, you can use segmentation—rather than broadly applying it more than is necessary.
Better Vulnerability Management for IoT Medical Devices With Asimily
Healthcare is a stressful enough industry, and let’s be honest—most healthcare professionals don’t also have IoT security backgrounds. Add to that the tough regulatory environment and high stakes, and it becomes all the more important to have robust tools and processes in place for IoMT vulnerability management. As vulnerabilities and breaches continue to affect medical organizations at an increasing rate, it’s obvious that we need new, healthier security solutions.
Automating medical device security with Asimily can help. With patient medical records increasingly traveling over the internet and in the cloud, it only makes sense to deploy a proven system for detecting, prioritizing, and remediating vulnerabilities.
Unlike many other IoT security solutions, Asimily caters to IoMT devices and the unique challenges they face. Whereas other services may lead you into a regulatory trap by failing to account for health care standards—or do not provide many options beyond segmentation—Asimily helps you navigate the minefield deftly.
Asimily also provides a detailed organizational risk score: a comprehensive organizational summary that explains detected risks and anomalies and what they might mean for the health provider down the line. The calculation combines information on active vulnerabilities with any suspicious trends to produce a percentage conveying how much danger devices pose. Tracking this score over time tells you if policies are improving the security of your network. For example, after patching a vulnerability, the graph will indicate an improvement by returning to “normal” activity. This is just one way Asimily’s features work to streamline your defense systems.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.