The struggles that healthcare delivery organizations (HDOs) face with securing their critical systems are nothing new. Budgetary constraints and an ever-evolving risk landscape, along with tech debt and other issues, result in limited investment in securing critical connected equipment. This creates the risk of a security incident triggering interruptions in patient care and lost revenue. 

The average cost of a healthcare breach rose to $10.93 million in 2023 according to IBM data, which makes it imperative for HDOs to have a solid defensive strategy. Unfortunately, too many healthcare organizations remain vulnerable to a rising tide of cyberattacks. And there is a substantial number, with 725 data breaches of more than 500 records reported to the Office of Civil Rights in 2023. All told that makes 133 million patient records and other data from HDOs that were exposed in 2023. 

Internet of Medical Things (IoMT) like infusion pumps or hospital beds with sensors built in present some of the most significant cybersecurity risks in this complicated threat environment. Unfortunately, these systems sometimes have limited security standards built in and often get used far beyond their lifespan because it’s unlikely for connected equipment to be taken out of rotation for service or regular patching. 

It’s this need for constant use that makes traditional vulnerability management tooling ineffective at best for detecting and mitigating the weaknesses in IoMT devices. An alternate approach focused on recommendations is how Asimily seeks to resolve this issue. 

Patching and Segmentation Aren’t Always Feasible

If public vulnerability discovery had a sound, it would be a starter’s pistol. That’s because every criminal in the world using a vulnerability is now in a race… against defenders on cybersecurity teams. When the vulnerability is fixed and defenses deployed, the value criminals get from their exploit drops to near zero. 

Traditional vulnerability management solutions focus on patching identified issues or segmenting problem devices from the rest of the system architecture, to reduce the potential damage from successful exploitation of that device. This is a sound approach when it can be put into action and the long-term complexity costs are manageable.  For example, in manufacturing, segmenting a machine on the assembly line that can’t be updated because it won’t support a newer operating system than Windows XP is a logical way to keep the rest of your systems secure. 

Similarly, the best practice in operational technology and Internet of Things security is to patch the security vulnerabilities as soon as possible. Take the device offline, install the patch, and reboot the machine to close down any possibility of a cyberattack. 

Neither of these methods works all the time in a healthcare setting. 

A connected pacemaker can’t be taken out of a patient to have a patch installed, nor can it be turned off. An MRI machine can’t necessarily be segmented into its own network; it is going to need to export images for analysis elsewhere, likely via PACS and DICOM. The devices and equipment used in a healthcare setting are leveraged in too many ways at too high a volume for the classic advice of patch or segment to be universally applicable. 

Sometimes the patch isn’t even available. HDOs tend to use connected equipment for more than a decade, with the average age of an MRI machine at 13 years according to recent data. Moreover, 60% of IoMT devices are already at their end-of-life stage and no longer supported. There are no guarantees that an identified vulnerability will actually have a patch available to resolve it. 

What patch there could be may also be expensive to implement, especially if a machine needs to be taken out of use for it to be applied. HDOs have limited freedom to apply patches to their OT and IoMT equipment. Infusion pumps, MRIs, CT scanners, and other connected devices regularly used throughout the medical campus need to be available. Taking any such piece of equipment out of rotation for an extended period of time, especially if the patch requires a slow or complex process, is not feasible for HDOs already running on thin margins. 

Something else often needs to be done, which is why Asimily takes a different approach to vulnerability management. 

The Asimily Recommendation Approach: A More Nuanced Way 

The problem with suggesting a patch or segment methodology in all cases is that it ignores the specific context of each device. It takes the CVE (Common Vulnerabilities and Exposures) and its attached CVSS (Common Vulnerability Scoring System) as universal truths about the severity of a vulnerability. That’s not true for every customer and device’s configuration.  Each piece of OT and IoMT equipment connects to an HDO’s network in a different way and communicates with different devices through regular operation. Understanding that context, including communicating pathways and expected behavior, is vitally necessary for truly reducing the risk of a cyberattack. 

Maybe it’s not necessary to apply a patch for devices that don’t communicate with the entire network. Perhaps it’s possible to avoid microsegmentation if an OT system is already limited in its communications or an IoMT sensor is installed with minimal permissions. Most vulnerability management solutions don’t take that knowledge into account. 

Unlike other offerings in the industry, Asimily is designed to understand the specific context of how each device is configured, where it sits in the system architecture, its importance to the organization, and how likely it is to be exploited. 

When the platform scans an HDO’s network to build an inventory of all connected OT and IoMT devices, it identifies each device based on every datum available, including: 

• Operating system
• IP address
• MAC address
• Open Port numbers
• Applications
• Hostname
• Version number

As part of this identification, Asimily maps the entire system architecture to understand how each device interacts with the rest of the network. This includes communication flows and expected behavior, empowering security teams with insight into how their OT and IoMT systems interact and interoperate. Asimily uses this information to first identify vulnerabilities in OT/IoMT devices and then provide recommendations based on the importance of the device and how likely the device is to be exploited. 

A connected medical device may have a critical vulnerability, but if it only communicates with one specific workstation and doesn’t have any other permissions, then perhaps that vulnerability can be deprioritized. Asimily would provide this recommendation as part of its vulnerability identification, ensuring that security and health technology management (HTM) teams don’t spend their time patching a vulnerability with minimal impact on security posture. A recommendation from Asimily takes extensive information into account. It does this to provide real risk reduction guidance in the most effective way possible, understanding the real attack surface of an HDO and the real risk of a cyberattack on every piece of connected medical equipment. Not every critical vulnerability is likely to be exploited in every system context. The ability to prioritize which vulnerability to resolve saves time, and money, and makes HDOs more secure.

Better Results in Less Time with Asimily 

It takes an average of 88 days to patch a critical vulnerability, according to research. This includes deploying the patch, QA, and testing to ensure nothing unintentionally breaks elsewhere in the system. Given this time commitment, it’s imperative that security teams know as quickly as possible whether the critical vulnerability is likely to impact their systems or whether it’s only critical in a specific situation. 

With Asimily, HDOs can make this determination quickly and efficiently. The platform is designed to provide crucial decision-making insight that empowers security teams to decide which vulnerabilities to patch or other mitigations to deploy. Ultimately, this means that Asimily customers reduce the risk of a cyberattack successfully compromising patient data and other information more effectively than alternate solutions. And they do this while committing less staff time, shorter equipment downtimes, and mitigating the real risk of a breach.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.