By Jeremy Linden, Sr. Director of Product Management, Asimily


Now
more than ever, the Internet of Medical Things (IoMT) has proven crucial for modern health care, with an ever-increasing number of medical practices using IoMT devices. Unfortunately, they remain one of the most vulnerable targets for cyberattacks, with even some of the largest healthcare providers suffering a $100 million loss due to an unanticipated security breach and lack of timely incident response.

Experts cite a lack of fundamental “cybersecurity hygiene” as the primary cause of most security incidents. These “lacks” include weak authentication methods, default password hashes, and vulnerable backdoors hackers can find in the debugging logs.

Ramp up your IoMT security systems by strengthening anomaly detection and increasing incident response time. What best practices can you implement today?

 

Aligning Policies and Operational Workflow With Cybersecurity

IT professionals in healthcare facilities must be ready to fight against cyberattacks at all times. Integrating preparedness into your operational workflow is an absolute must to shield your IoMT devices against would-be hackers and malware. Thorough system audits help you discover gaps in your security, allowing you to take proactive steps before something terrible happens.

To mitigate cyberattacks effectively and increase incident response time, IT teams must work with facility leaders to schedule routine system evaluations. A facility’s first line of defense is its information system (IS) architecture. Your IS protects your larger IoMT infrastructure against attacks by reducing the impact on core functionalities.

 

Detecting Suspicious Activities

The first step is to monitor and detect any suspicious activity that could indicate the beginning of an attack. This evaluation is crucial to early detection and fighting back, as it will categorize attacks based on your existing policies. A truly robust IoMT security system should:
  • Compare device baselines against a control model to identify abnormalities during an attack
  • Tailor policies to your unique network, making it more difficult for hackers to avoid detection
  • Combine crowdsourcing intelligence, machine learning, and threat modeling to detect attacks and provide proactive solutions
  • Provide SIEM and SOAR integration through a simplified playbook-based approach
  • Work in tandem with active IoT security researchers to identify threats

Asimily, for example, in addition to anomaly and threat detection, provides policy management at a granular level. This capability gives them the ability to tailor their policies based on particular attributes of their network of IoMT devices and set up alerts for specific incidents. This then allows them to hone in on any unusual activity in their network as fast as possible, greatly reducing incident response times.

 

Investigating Suspicious Activities and Threats

Once the threats have been identified, it’s time to dig into the details. IoMT security solutions must respond rapidly to cybersecurity incidents while simultaneously logging critical characteristics of the breach to bolster the investigation. Any security solution you employ must:
  • Determine which IoMT devices communicate with one another and when to track cyberattacks within the network of communicating devices
  • Understand the protocols your systems and devices are using to recognize anomalies
  • Track how much data your devices transfer—before, during, and after the attack
  • Be able to run packet captures on the network to read device traffic and collect data
  • Provide clinical and biomedical teams with operational intelligence

Asimily can help your network analysts and SOC teams expedite incident response times and protect your devices from cyberattacks. Asimily offers the Distributed Sniffer, their own industry-leading software that works to detect, investigate, and respond to costly cyber attacks, saving you millions in lost data.

 

The Distributed Sniffer allows healthcare networks to capture data continuously on an arbitrary or pre-programmed interval. This information helps inform security officers to accurately and immediately identify a breach.

 

Responding to Cybersecurity Attacks

Not all cyberattacks are created equal. Once your teams identify the threat and thoroughly understand it, it’s time to flush it from your systems.

First, isolate any suspected devices to determine if an attack has in fact taken place. Prevent any remote access C2 traffic hackers might establish during the attack and determine if users accidentally triggered a credential-theft phishing campaign. If so, change the associated credentials immediately.

Once you’ve isolated the affected devices, it’s time to eradicate all traces of the attack—including its foothold. Asimily strategizes remediation with a unique take on the 3-step standard process for incident response to reduce the overall impact on your services. First, they attempt to patch any vulnerabilities in the system that may have allowed hackers entrance into your devices. If patching alone does not serve as an adequate or cost-effective solution, it’s time to shift toward exploring vector mitigation. As a last resort, they turn to network segmentation to reduce the risk of a breach.

 

Recovery and Analysis: Post-Incident Processes

Your recovery time depends on the severity of the cyberattack. You can take steps to make immediate repairs—but getting the entire system back on track will take time. Remember, complete system restoration does not occur instantly. The repair phase is a vulnerable time. Departments must keep their eyes on operational safety while IT does its job.

After an attack, IT teams must gather as much data as possible on the breach with thorough forensic and post-incident analyses. This helps uncover evidence to improve security measures, policies, and staff training. With this data in hand, your organization can update current processes to shorten incident response times during future attacks.


Just because you beat back one attack doesn’t mean another isn’t around the corner. Conduct regular preparedness and mitigation exercises to prepare your team for the next assault.

Consider recovery as an extension of downtime. As IT works to restore your systems, use this opportunity to assess degrees of functionality and whether they benefit or hinder operations. For example, are absent capabilities hindering workflow if the system only functions in a limited capacity?

Next, begin the process of converting any paper documents back to digital format. Ensure you have available staff to provide continued support and ask whether vendors can assist in recovering biomedical records and resuming suspended in-patient procedures.

 

Implementing Preparedness and Mitigation Exercises

Once you’ve updated your strategies, it’s time to put them to the test with regular exercises. Performing well during these trials ensures your stakeholders, vendors, and EMPs that your facility is prepared for another cyber attack.

 

Consider the Homeland Security Exercise and Evaluation Program (HSEEP) as a blueprint for evaluating the strength of your current systems. Some proactive measures can include:
  • Developing and testing an array of scenarios with varying severity
  • Hire a white hat to stress-test your systems
  • Lean on a third-party IT specialist team to evaluate your strategies
  • (Re)train staff members on paper charting and manual practices in case the digital system goes down again
  • Simulate in-house communication crises—such as how to respond if phones, email, or pagers go down—as well as public-facing situations, like fielding news media and patient concerns in a crisis

Anomaly Detection & Incident Response: Best Practices for IoMT With Asimily

There are no avoiding cybersecurity attacks. Vulnerabilities, frustrations, and breaches are inevitable. Healthcare organizations simply need the tools to facilitate a healthier, faster response—tools like Asimily. Thus exemplifying the need for new and healthier approaches.

See Asimily’s approach to IoMT incident response and anomaly detection allows for more accurate findings and data-backed security measures than just the standard 3-step process. This includes:

  • New and emerging threat detection, leveraging custom policy management at a granular level to target every HDO’s specific needs.
  • A full, proactive investigation into an attacker’s actions and primary targets with a Distributed Sniffer.
  • Rapid response and immediate quarantining of compromised devices.

Register for Asimily’s upcoming webinar to learn more about their approach to incident response for IoMT devices. Get in touch with the cybersecurity experts at Asimily to schedule a free demo and reduce your operational inefficiencies and device downtimes today.