The Cost of Upgrading Connected IoMT Devices 

Internet of Medical Things (IoMT) devices are crucial in improving the patient experience. Unfortunately, they can also be prime targets for cyber attacks. IoMT devices often lack essential security controls or have critical vulnerabilities that threat actors can try to exploit, and medical device manufacturers lack incentives to improve device security. The global IoMT market was $47.32 billion in 2023 and is projected to grow from $60.03 billion in 2024 to $814.28 billion by 2032. Despite the exponential growth, data from Forrester shows that IoT devices continue to be among the most vulnerable endpoints as their designs prioritize real-time data capture and integration at the expense of security.

HDOs may consider upgrading or replacing vulnerable IoMT devices to avoid the operational disruption of a cyber attack. While tempting, upgrading or replacing a device has its challenges and financial burdens. As an alternative, HDOs can also consider future-proofing their IoMT devices against cyber attacks.

Benefits and Risks of Connected IoMT Devices

IoMT devices offer numerous health benefits to patients. They increase care accessibility by providing remote, real-time patient health monitoring, which supports personalized treatment and better chronic disease management. IoMT devices are also rife with vulnerabilities, which introduce security risks.

There are an average of 6.2 vulnerabilities per medical device, with recalls issued for critical devices such as pacemakers and insulin pumps with known security issues. Because IoT devices have access to a wider network of connected devices, they can provide a pathway for threat actors to access or steal patient data or even deploy ransomware.

Medical device manufacturers are known for taking a long time to release patches for vulnerabilities, even if patches are made available. Further complicating the matter, 60% of IoMT devices are already end-of-life (EOL) and no longer supported.

Understandably, many HDOs may consider upgrading or replacing vulnerable IoMT devices to reduce their cyber risk profile. Still, the decision is not as clear-cut as it may initially seem.

The Challenge of Upgrading IoMT Devices

Healthcare has always been a favorite target for threat actors. When cyber attacks disrupt operations, the impact can be severe— surgeries may need to be rescheduled, patients may need to be transferred to other facilities, and sensitive patient information may be accessed or stolen. Of course, threat actors know that healthcare facilities have a low tolerance for operational downtime and that many have fragile security environments; that’s part of what makes them ideal targets.

The growing threat of cyber attacks necessitates that HDOs take preventative steps to secure IoMT devices, but many hospitals operate on razor-thin margins post-COVID. As of January 2024, Syntellis found that the median operating margin was 5.2% year to date. Many HDOs have also been impacted by the cybersecurity skill shortage, meaning they likely lack the in-house support to successfully deploy and harden new devices.

In addition to budgetary concerns, upgrading or replacing a vulnerable IoMT device should be a last-ditch solution. These devices often come with an EOL operating system to minimize costs, and an ‘upgrade’ can fail to have any meaningful risk reduction. For example, an upgrade from Windows XP to Windows 7 may seem more secure, but Windows 7 is still unsupported and doesn’t receive new security patches.

So what are HDOs to do? Instead of purchasing new devices, HDOs can opt to future-proof vulnerable IoMT devices against cyber attacks.

The Asimily Approach to IoMT Device Security

Conventional wisdom for patching (patches regularly and often) doesn’t work in a healthcare setting. Patching requires taking a device offline and may take several hours to complete, which conflicts with the high-use nature of IoMT devices.

Asimily takes a different approach to vulnerabilities and patching.

Vulnerability management is inexact because it lacks context. Vulnerabilities are identified by common vulnerabilities and exposures (CVE) and scored using the common vulnerability scoring system (CVSS). While a CVSS score is generally used as the source of truth for severity, it’s inaccurate for every network device. Every IoMT device interacts with an HDO’s network differently. Understanding the context in which a device is vulnerable necessitates knowing its communication pathways and expected behavior.

Asimily scans an HDO’s entire network to build an inventory of all connected IoMT devices. From here, it can understand the specific context of each device, where it sits in the network, what information it can store and access, and how likely it is to be exploited. Using all of this information, Asimily can determine if patching is necessary and provide HDOs with targeted recommendations for securing their devices.

For example, if Asimily detects an IoMT device with a critical vulnerability, but that device only communicates with one workstation and has no advanced privileges, then maybe that vulnerability can be deprioritized. Not every vulnerability is a path to exploit, and not every vulnerable IoMT device needs upgrading or replacing.

The ability to determine whether patching is necessary and prioritize which vulnerabilities to patch saves time and provides HDOs with peace of mind that their network is more secure.

How Asmily’s Vulnerability Prioritization and Management Helps Secure Healthcare Facilities

HDOs need to secure their networks against the persistent risk of cyber attacks, but the solution isn’t to overspend on new IoMT devices, especially in an era of reduced budgets and talent shortages. Instead, HDOs should consider a risk-based approach to security and vulnerability management.

A risk-based approach includes conducting regular vulnerability scans of network-accessible infrastructure to identify IoMT security holes and prioritizing resolving the biggest risks first. Asimily’s inventory and vulnerability detection capabilities ensure you can identify critical assets and resolve business-critical weaknesses across your entire attack surface. In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders.

With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security. When HDOs have complete insight into the devices connected to their network, they can save resources and focus on what matters — providing patient care.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.