Combating Security Risks is Especially Tough with Medical IoT Devices – Here’s Why

The following is a guest article by Constancio Fernandes, VP of Engineering at Asimily.

The security teams at healthcare systems tasked with safeguarding massive fleets of Internet of Medical Things (IoMT) devices are used to getting a heavy dose of cybersecurity patch advisories—the challenge is what to do next.

There has been no shortage of these urgent alerts flagging complex IoMT device vulnerabilities over the past few years, from the aptly named Urgent/11 to SweynTooth, GRUB2, and countless others. However, those alerts don’t offer security teams any insights into the actual risk posed to their healthcare organizations. In fact, it’s usually not even clear which internet-connected devices the known vulnerabilities impact, or how critical it is to take action and mitigate those issues.

Security and IT teams grappling with the nuances of securing IoMT vulnerabilities must overcome four specific challenges, including:

1) A Clear Understanding that the IoMT is Unique.

IoMT security has its own unique set of factors unlike those in any other IoT-saturated industry.

These connected medical devices can affect patient health and the integrity of clinical operations. Even monitoring devices with no internal data storage or ability to impact patients can serve as entry points for dangerous attacks. And, tight regulations on IoMT manufacturers and their devices mean that directly applying patches isn’t even always an option. 

Organizations usually react to cybersecurity alerts by taking steps to recognize and patch endpoints and servers endangered by vulnerabilities. However, the pace and quantity of new vulnerabilities are overwhelming. In practice, security teams must address tens of thousands of vulnerabilities—which affect their thousands of devices—with the limited resources at their disposal. The challenge for the security team becomes accurately prioritizing its focus to zero in on vulnerabilities that actually present urgent risks.

2) Organizations Often Can Only Patch IoMT Device Vulnerabilities at Their Own Risk.

Security teams cannot deploy patches as readily as they’d like, for reasons ranging from the limitations of legacy devices, clinical priorities that take precedence over patching, and regulatory limits placed on IoMT device manufacturers. That last factor includes FDA requirements dictating that manufacturers must perform a careful risk assessment along with any change to a device or its installed software, to ensure that the device still operates as intended following a patch. 

At the same time, the FDA offers post-market guidance to healthcare organizations, advising that they actively evaluate their network security to protect their hospital systems. Organizations must therefore make a series of crucial decisions, repeatedly weighing the danger of leaving a vulnerable device unpatched versus the danger of applying an available patch at their own risk. If the team deems applying the patch to be the most secure approach, the organization takes sole responsibility for the results of that decision—both from an IT security perspective and any future impact that device has on patient care. Making that bold call can achieve decisive improvements to healthcare outcomes, but it requires a security team with the capabilities and maturity to see it through.

3) Prioritizing Vulnerabilities Requires a Risk-Based Approach Paired with an Understanding of how IoMT Threats Develop.

With thousands of devices to secure and ten times as many vulnerabilities looming, accurate across-the-board prioritization is essential if security teams are going to keep their heads above water. That means prioritizing threats, prioritizing resources, and being ready to mitigate risks without relying on IoMT device manufacturers. Scenarios arise where no manufacturer patch is available, and tactics such as network-based segmentation or quarantines are inapplicable or simply ineffective. 

The ability to measure the true risk an IoMT device vulnerability represents requires a sophisticated assessment of how attackers take advantage of potential exploits, accounting for the specific environment, endpoints, and connections in question. Differentiating the limited number of actual immediate dangers—versus the countless device flaws that are rendered benign by their given configuration and use case—is essential to giving IoMT security teams a chance from a resource efficiency perspective.

4) It’s Crucial to Implement IoMT Security Features that Enable Accurate Risk Assessment.

Security teams need effective tools to help flag the IoMT risks that truly need attention. That strategy needs to include deep packet parsing, automated exploit analysis fueled by AI/ML algorithms, and other tools attuned to the specific dangers and behaviors of IoMT devices and networks. Teams and their tools should also leverage data on manufacturer security capabilities (MDS2s) in their risk analysis. That data will often reveal the potential for attacks to exploit device vulnerabilities in a given environment, as well as information that leads teams to the right mitigation tactics. Even when applying a patch isn’t an option, instead applying the right technical or administrative controls can often fill those security gaps just as effectively. 

Bottom Line: Securing the IoMT Means Optimizing Mitigation Efforts

Security teams working with IoMT devices at healthcare organizations—from hospitals to pharmaceutical and life sciences companies—must account for wide-ranging concerns that reach far beyond the typical IT focus limited to hardware and software. These teams must solve security issues while also accounting for the safety of patients, maintaining the effectiveness of clinical treatment, maintaining compliant data and network security, and safeguarding the business and operational integrity of their organizations. Instead of spreading security resources thin trying to achieve the impossible task of addressing tens of thousands of IoMT vulnerabilities, putting the right capabilities and analysis in place can identify the actual risks that attackers will target, and reveal a more efficient path to eliminating those risks.

   

Categories