Networked medical devices – such as patient monitoring devices and advanced imaging technology – can greatly improve patient care. Unfortunately, like other internet of things (IoT) devices, these internet of medical things (IoMT) devices also present cybersecurity concerns that ultimately could put patient lives at risk.
Many healthcare organizations are coming to recognize that technology alone cannot mitigate these risks – what’s needed is a comprehensive approach that also addresses the people and process components of the IoMT cybersecurity challenge.
Patient Safety Risks of IoMT Devices
IoMT devices are changing healthcare dramatically, and the pace of change shows no sign of slowing down. One study estimates that 87 percent of healthcare organizations will be using IoT technology by 20191. Unfortunately, these advances also come with a downside: the risk of serious harm from cyberattacks that can negatively affect patient care and safety.
In May 2017, a massive ransomware attack involving the WannaCry virus shut down operations at 48 healthcare provider organizations across the United Kingdom.2 Barely one month later, a similar attack forced a number of U.S. hospitals to postpone surgeries and other patient care.3 Dozens of similar ransomware attacks have been reported at all types of healthcare providers, large and small, across the nation.4
Attacks that cause medical device outages or delays in treatment can have serious medical consequences. In September 2017, researchers ran an exercise designed to simulate a three-day malware attack on hospitals in the Phoenix area. The exercise revealed that patient deaths were likely to occur almost immediately – on day one of the event – as malware shut down elevators, HVAC systems, refrigeration facilities, and other critical components in the patient’s path of care, causing treatment delays and high-risk patient evacuations.5
Moving Beyond Compliance
Regulatory agencies and healthcare industry groups have responded to IoMT security concerns with several high-profile initiatives. Examples include the Food and Drug Administration guidance for “Postmarket Management of Cybersecurity in Medical Devices” (Dec. 28, 2016)6, the Health Care Industry Cybersecurity Task Force report to Congress (June 2, 2017)7, and the Health Information Technology for Economic and Clinical Health Act of 2009, which augmented Health Insurance Portability and Accountability Act requirements to include IoMT devices.8
Unfortunately, many such regulatory responses are issued as guidance and thus are not enforced. In addition, they typically do not include prescriptive actions to actually mitigate risks, nor do they prescribe specific technological requirements for maintaining system operability.
For these reasons, IoMT cybersecurity should be approached not as a compliance issue but rather as a patient care and risk management issue. The objective is not regulatory compliance – it is protecting patients from harm and protecting the organization from loss or damage.
Understanding the Path of Care and the Intersections With Technology
Patient care and safety are obviously of paramount concern in any healthcare organization. The way patients engage with technology and data can have a direct impact on their ability to get the care they need. Just as a path analysis can help identify gaps in quality of care, identifying the critical technology failure points in the path of care can highlight areas of concern where patient safety could be jeopardized.
For example, if the software that operates elevators was the target of a malicious attack, would a hospital be able to get patients to all areas of the facility in their time of need? If IP security cameras were hijacked, would it be able to monitor the security of drugs, equipment, and people? If physician paging systems were disabled, would patients still get the help they need? Realistically, would a hospital be able to provide diagnostic, clinical, and therapeutic care in the event its electronic medical records system was brought down?
In addition to understanding the many specific points of concern in the path of care, it also is important to understand the recurring security challenges that IoT devices in general can present. For example, many IoMT devices operate on older operating system platforms that no longer are supported by the manufacturer with security upgrades or patches. Quite often, the devices are not even capable of being patched at all or the financial or other costs to patch or upgrade are prohibitive.
The situation is further complicated by the fact that healthcare providers employ many other IoT devices that are not medical devices at all. These include security cameras, telecommunications devices, and controls for building systems such as lighting, HVAC, and elevators.
Often these devices have little to no protection from hackers, yet they are commingled into the same internal IT networks as sophisticated imaging and diagnostic tools, patient monitors, infusion pumps, and other devices directly related to patient care. In many cases, there is not even network segmentation between these various systems.
Visibility: The First Step Toward Effective IoMT Risk Management
Because healthcare delivery organizations today are likely to employ thousands of networked devices, and because any of these devices could provide hackers with an entry point, a critical first step in effective IoMT risk management is to specifically identify and track these various devices and data systems. Any healthcare organization that contends it has a sufficient asset management process and inventory system should credibly challenge that assertion, given the thousands of devices that are likely in place at any point in time.
In most cases, an essential first step is to implement technology that is capable of providing real-time visibility into the network. A landmark 2016 Gartner study identified the capability to provide “visibility and control” as a major component of the overall IoT security market.9
Beyond technology alone, however, effective visibility is also a function of people and processes. In addition to building a comprehensive inventory of networked devices, an organization also needs to understand and document how these devices are tracked and maintained. Furthermore, there should be clear understanding as to how any third parties involved support these devices. It also is important to have visibility into normal network usage patterns and behaviors in order to be able to recognize suspicious activity, logon, and traffic patterns.
Classification: Setting Priorities for IoMT Risk Management
Once an initial inventory has been compiled, the next step is to identify which of the thousands of devices and systems are the top cybersecurity priorities. To do this, an organization must first determine the risk factors that define those priorities.
Such risk factors can include patient safety concerns, potential single-point-of-failure instances, unsupported software, insecure configurations, the criticality of the data involved, and the relative ease of theft, to name just a few. This information should be risk-ranked and then incorporated into the inventory of devices.
Using such a risk-based approach enables a healthcare organization to prioritize cybersecurity projects by identifying and stratifying risk among all medical devices. It should identify those devices that can be made secure and those that need to be isolated. In addition, it should put governance in place so that new devices will be worked into the inventory when they are added.
Awareness: A Frequently Missed Step
Training is always a critical requirement in healthcare organizations. In the case of cybersecurity, the necessary training ranges from the narrow – such as teaching alternative procedures if a critical piece of therapeutic technology is unavailable – to the very broad – such as how to manage patient triage if communications systems go down.
Remember also that cybersecurity is everyone’s job, so all system users should be trained on safe practices. As with all training, repetition and hands-on exercises are key to solidifying concepts and procedures.
The organization should begin by identifying who is responsible for awareness of cybersecurity risks from IoMT devices. These responsibilities can be assigned to third-party vendors, IT staff, or clinical personnel, but in most cases a combination of perspectives and expertise will be needed, so it’s important to clarify who is responsible for orchestrating the collaboration.
Risk Mitigation and Controls
Visibility, classification, and awareness are prerequisites for the ultimate objective: effective IoT risk mitigation. The prior steps must be achieved before layering controls into the organization because the nature of the controls will depend upon the identification and classification of devices and the risks those devices present.
Examples of basic controls include segmenting or isolating IoMT devices from other networked devices and changing the default configurations for devices’ passwords, ports, and protocols. Other essential practices include updating firmware, installing all available patches or applying mitigating controls, and updating logging and monitoring solutions to reflect current usage patterns and activity levels.
Moreover, just as the clinical engineering department systematically tests and calibrates medical devices, qualified team members also should perform regular security assessments.
The use of IoMT devices is certain to continue growing over the coming years – as will the potential for risk. Mitigating this risk will require a proactive, risk-based approach that identifies and inventories networked devices, recognizes and prioritizes risks, and is enabled by sound governance and controls. By pursuing such an approach, healthcare delivery organizations can begin to establish effective cybersecurity risk management strategies that allow them to take advantage of the many benefits that IoT devices can offer, while at the same time advancing patient care and safety.
Learn More
Raj Chaudhary
Principal, Crowe Risk Consulting
+1 312 899 7008
raj.chaudhary@crowehorwath.com
Chris Reffkin
Crowe Risk Consulting
+1 317 208 2547
chris.reffkin@crowehorwath.com
1 Heather Landi, “Study: 87 Percent of Healthcare Organizations Will Adopt IoT Technology by 2019,” Healthcare Informatics, March 2, 2017, https://www.healthcare-informatics.com/news-item/mobile/study-87-percent-healthcare-organizations-will-adopt-iot-technology-2019
2 Chris Johnston, Graham Russell, Sam Levin, Julia Carrie Wong, and Kevin Rawlinson, “Disruption From Cyber-Attack to Last for Days, Says NHS Digital,” The Guardian, May 13, 2017, https://www.theguardian.com/society/live/2017/may/12/england-hospitals-cyber-attack-nhs-live-updates
3 Heather Landi, “PA Health System, Health IT Vendor Affected by Global ‘Petya’ Ransomware Attack,” Healthcare Informatics, June 28, 2017, https://www.healthcare-informatics.com/article/cybersecurity/pa-health-system-health-it-vendor-affected-global-petya-ransomware-attack
4 “The Biggest Healthcare Breaches of 2017 (So Far),” Healthcare IT News, Oct. 12, 2017, http://www.healthcareitnews.com/slideshow/biggest-healthcare-breaches-2017-so-far?page=1
5 Iain Thomson, “Docs Ran a Simulation of What Would Happen if Really Nasty Malware Hit a City’s Hospitals. RIP :(,” The Register, Sept. 26, 2017, http://www.theregister.co.uk/2017/09/26/malware_hospital_simulation/
6 “Postmarket Management of Cybersecurity in Medical Devices,” U.S. Food & Drug Administration, Jan. 22, 2016, https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf
7 “Report on Improving Cybersecurity in the Health Care Industry,” Health Care Industry Cybersecurity Task Force, June 2, 2017, https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf
8 Elizabeth Snell, “Why Guidance Is Critical for Strengthening Healthcare Cybersecurity,” HealthITSecurity, Sept. 13, 2017, https://healthitsecurity.com/news/why-guidance-is-critical-for-strengthening-healthcare-cybersecurity
9 “Market Guide for IoT Security,” Gartner Reprint, Oct. 3, 2016, https://www.gartner.com/doc/reprints?id=1-3L0XLHL&ct=161031&st=sb
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.