It’s been quite a few years since the news hit about a hackable insulin pump, but since then, cyber risk management in healthcare has gotten even more complex. Chipped cards have sent cybercriminals running from credit card theft to deliciously detailed personal information, with medical records as one of their favorite sources. On top of that, ransomware attacks, which are basically cyber-kidnapping schemes you can pull off from your couch, have left healthcare security professionals scrambling to secure their clouds, lakes, and mountains of sensitive data.
Unfortunately, healthcare organizations are also facing increased risk from the devices doing much of the important work for patients and communities. With all the benefits the Internet of Medical Things (IoMT) offers, it’s also a point of vulnerability, especially since healthcare is one of the top target industries for cyber attacks.
Creating resilient healthcare organizations in a modern cyberthreat environment requires an approach to cyber risk management that acknowledges the expanding definition of the endpoint and goes beyond yesterday’s standards.
Are unsecured endpoints the biggest threat to patient safety?
Until the IoMT came onto the scene, the term “cybersecurity threat” mostly meant threats to patient data and privacy. That changed when a slew of glucose monitors, insulin pumps, smart beds, wearables, and medication trackers started popping up on hospital networks. Now, the question isn’t just, “What if someone breaks into a hospital network and steals my home address?” It’s also, “What if someone breaks into my smart device and physically hurts me?”
Johnson & Johnson didn’t release a warning to diabetic patients about its insulin pump just for kicks. While the risk is currently remote, theoretically, anyone with the technical know-how and proximity to a pump could make changes to doses and threaten the well-being—or even life—of a patient without them knowing. From pacemakers to defibrillators, IoMT brings with it questions of endpoint security the IT world has never had to answer before. For example, what can you do with IoMT devices that are keeping patients alive and can’t be taken offline during an attack or breach?
This is just one aspect of the problem, though. IoMT also brings with it all the traditional challenges and infrastructure risks of endpoints, meaning new vital sign monitor installed in the ICU is a potential entry point to the entire network—as is every printer, workstation, and tablet in the organization. Essentially, endpoints have burst onto the scene, bringing a new threat landscape right along with them.
Turn to the power of prevention
Preventative care could save the US healthcare system billions of dollars, and a similar rule holds true for cybersecurity. Working to proactively minimize your attack vectors will keep you significantly more secure—and save a lot of money in the long run.
As it stands now, regulatory agencies, like the FDA, are conducting the bulk of the work around proactive IoMT device regulation. The agency recently launched its Medical Device Safety Action Plan, one component of which focuses on the advancement of medical device cybersecurity. It addresses the importance of cybersecurity in product design and development, as well as timely device patching and updating. The FDA also released guidance for device manufacturers and for postmarket cybersecurity managers.
For a model of connected devices designed with cybersecurity in mind, IoMT manufacturers might want to look at today’s enterprise printers. Printers should be held to the same security standards as any other endpoint computing device. That’s why some printers are now built with advanced security features, like HP’s run-time intrusion detection that can automatically scan for attacks and self-healing capabilities that trigger a reboot when malicious code is detected.
Keeping up with regulations—and how well manufacturers are following them—while investing in devices with embedded security features are your best strategies for optimizing IoMT cybersecurity and proactively preventing attacks.
Take a smart approach to modern endpoint security
In a threat environment where endpoints—and the risks they pose—are essentially everywhere, strategic continuous monitoring is a basic requirement of any cyber risk management strategy. Here are a few tools and approaches to consider:
- EDR tools: Endpoint development and response tools give security analysts the level of visibility and insight needed to investigate and respond when endpoint devices are targeted by attacks. They go a step beyond traditional endpoint protection platforms, as they don’t just stop known threats but also monitor for any threats that may have slipped by initial defenses.
- Internal segmentation: The risks coming with the IoMT mean many organizations will need to adopt different methods for how they monitor traffic moving across their networks. To that end, you should consider adopting internal segmentation to give your team a simplified view of traffic, allowing them to observe when devices are moving laterally into different network segments. Internal segmentation firewalls can also enable policy-driven segmentation by assigning identity-based levels of security clearance.
- HITRUST: One of the most fundamental steps you can take toward improved cyber risk management is jumping on the HITRUST CSF framework. HITRUST is a unified compliance framework that helps organizations achieve HIPAA, ISO, NIST, and PCI compliance harmoniously. On the medical device front, you can find resources for assessing risks in your endpoint devices and keeping up with changes in the industry.
While it’s still the beginning stages of IoMT—yesterday’s hospital-exclusive devices are now sitting in people’s bedrooms and exist right at the center of patient-centered health initiatives. Keeping up with cyber risk management will require not only understanding the evolving threat landscape but also committing to continuous innovation in device security. If your healthcare organization takes steps to stay ahead of this innovation, you can enjoy the benefits of Internet of Medical Things without worrying about its risks.