By Jeremy Linden, Sr. Director of Product Management, Asimily

 

The Internet of Medical Things (IoMT)—an extension of the Internet of Things device ecosystem—has proved revolutionary for many healthcare workers. However, along with their benefits, they also come with unique vulnerabilities that need accounting for. Healthcare providers relying on IoMT specifically need to balance security and device availability for patient care.

Mitigating risks often involves disabling or limiting certain features. But limiting too much might impinge on the benefits for patients using these devices. On the other hand, without any restraints at all, these devices remain exposed to bad actors. Finding the middle ground to meet both of these needs demands a new take on vulnerability management.

As cyberattacks become more common, health delivery organizations (HDOs) need a smart solution to increase trust in the system. Thankfully, IoMT security solutions providers like Asimily can help you assess and remedy at-risk devices—so you can build a robust, comprehensive vulnerability management program.

Why are IoMT Devices More Difficult to Secure?

IoMT devices can prove much more difficult to protect than other IT infrastructure. Medical devices can’t be patched in the same way as other hardware due to regulatory constraints; accordingly, these devices sometimes run outdated software—which, when paired with the lackluster policy choice by device manufacturers, threatens your security efforts even more.

And as IoT medical devices continue their expansion in the market, the challenges will only compound. Connected machines working years after installation may lack important security features. Network connectivity can fail, even with lives on the line. Meanwhile, human error remains an important risk factor in technical and medical activities.

What Are the Solutions? Responding and Remediating At-Risk IoMT Devices

If an unprotected device poses a threat, network isolation may limit the blast radius. However, this first line of defense doesn’t solve the security risk on its own. To protect against exploits, you need comprehensive vulnerability management across your entire IoMT ecosystem.

Passive or Active: Which Approach Is Right For You?

Vulnerability management tends to follow one of two dovetailing technical approaches: passive and active detection. Passive monitoring entails continuous inspections of packets traveling over the network. The monitoring identifies which software applications are running on the network, extracting information from the traffic. It can then infer any vulnerable components. Meanwhile, active scanning initiates network traffic and analyzes responses

Passive and active monitoring serve different purposes at different times, but can also go hand-in-hand in a more comprehensive strategy—as long as you understand the virtues and weak points of each. Using a passive IoMT platform as part of a layered security policy lets health care facilities prioritize and respond to multiple threats simultaneously. Your organization can assess and remedy problems in order of maximal importance as they crop up.

Vulnerability management requires an accurate assessment of potential weaknesses, underpinning your robust IoMT ecosystem oversight solution. To do this, IT experts and health care staff identify the full range of IoMT devices and supporting hardware, then monitor the assets for risks over time by tracking metrics like mean time to resolution (MTTR).

Exploit Analysis

When thinking about IoMT vulnerability management, it’s important to understand that not all vulnerabilities are created equal. IoMT devices behave in significantly more constrained ways than traditional IT infrastructure like laptops and desktops, and in many cases, a vulnerable component may not be used during typical operation. 

Because of these nuances, a single vulnerability score such as CVSS may not accurately capture the severity of the vulnerability in your environment and your devices. This makes running an exploit analysis that simulates the paths an attacker could use to compromise a device key to effective prioritization. This analysis should take into account the exploit vector, as well as any mitigations either on the device or on the network that might affect its exploitability.

Prioritization

Prioritization is key when it comes to addressing IoMT ecosystem vulnerabilities. Certain IoMT devices have an outsize impact on patient safety, data, and business operations. For example, if someone’s life depends on a device, it’s critical to secure this before attending to other devices. There are simply too many connected devices and security flaws to give each one full attention. By focusing your efforts where they matter, you can prevent the most serious vulnerabilities from becoming crises.

How should you prioritize? Sort vulnerabilities based on both likelihood and impact. Likelihood measures the exploitability of the vulnerabilities on the specific device in question. Not all vulnerabilities are equally exploitable—in other words, likelihood gives you insight into how likely the device can be successfully exploited.

Impact, in turn, measures the degree of impact that a successfully exploited device would have on the HDO. This includes the following scenarios:

  • Patient impact, e.g. a device goes offline that’s keeping someone alive
  • Data impact, e.g. someone’s Patient Health Information (PHI) gets stolen
  • Business impact, e.g. a high-value device is offline, and a hospital has to cancel scheduled procedures

Likelihood and impact have a multiplicative effect on your risk, so they are an equally important consideration. Put simply: risk equals likelihood times impact. Exploitability and impact analyses can assist in prioritizing these high-value targets, as well as using the Common Vulnerability Scoring System (CVSS).

The CVSS provides a generic vulnerability severity score; however, it is not customized for individual devices and the exploitability of the vulnerability on those specific devices. As such, these scores shouldn’t be used in isolation. They’re pieces of a greater whole.

Asimily incorporates device-specific information to give you a more useful assessment. Relevant factors are given weights, filtering the vulnerabilities according to potential severity and impact. Then your organization can mitigate threats intelligently.

Remediation

Now that you’ve prioritized the threats, it’s time to fix them. Regarding vulnerability remediation, Asimily takes a multi-pronged management approach to address health care provider needs.

Remediation can take several complementary forms: patching software, applying workarounds, changing device configurations, and—if all else fails—segmentation. This armada of vulnerability management strategies protects against attacks beyond the default segmentation strategy alone.

Patching is the least intrusive, quickest way to fix security flaws; however, IoMT devices are more difficult to patch than traditional IT infrastructure. Patching these devices involves navigating regulatory and patient safety constraints, unsupported operating systems, and other challenges.

Asimily makes it easy to find workarounds and configuration changes that mitigate security risks when patching isn’t an option. And when the other solutions don’t suffice, you can use segmentation—rather than broadly applying it more than absolutely necessary.

Better Vulnerability Management for IoT Medical Devices With Asimily

Health care is a stressful enough industry, and let’s be honest—most health care professionals don’t also have IoT security backgrounds. Add to that the tough regulatory environment and high stakes, and it becomes all the more important to have robust tools and processes in place for IoMT vulnerability management. As vulnerabilities and breaches continue to affect medical organizations at an increasing rate, it’s obvious that we need new, healthier security solutions.

Automating medical device security with Asimily can help. With patient medical records increasingly traveling over the internet and in the cloud, it only makes sense to deploy a proven system for detecting, prioritizing, and remediating vulnerabilities.

Unlike many other IoT security solutions, Asimily caters to IoMT devices and the unique challenges they face. Whereas other services may lead you into a regulatory trap by failing to account for health care standards—or do not provide much options beyond segmentation—Asimily helps you navigate the minefield deftly.

Asimily also provides a detailed organizational risk score: a comprehensive organizational summary that explains detected risks and anomalies and what they might mean for the health provider down the line. The calculation combines information on active vulnerabilities with any suspicious trends to produce a percentage conveying how much danger devices pose. Tracking this score over time tells you whether policies are improving the security situation. For example, after patching a vulnerability, the graph will indicate an improvement by way of returning to normal activity. This is just one way Asimily’s features work to streamline your defense systems.

 

Reach out to Asimily today to tune into their webinar series on vulnerability management, and schedule a service demo today.