Connected medical devices are revolutionizing healthcare by helping enhance patient experience with quicker and more accurate diagnoses, reducing operational costs, increasing efficiency through automation, and improving overall patient outcomes. Connected clinical and operational IoT devices are used for everything, from patient monitoring to office systems. But, the same devices also expand the attack surface and are the weakest link for attackers to infiltrate the hospital network.
Healthcare has consistently been one of the most breached industries with the highest average cost per breach compared to others over the past 12 years (2010-2022). Connected medical devices are a lucrative target as attackers can hold hospitals hostage for ransomware or steal valuable data as devices host patients’ sensitive personal health information (PHI).
Research by Palo Alto Networks Unit 42 Threat Research found that the medical devices are the weakest link on the hospital network as they bear critical vulnerabilities:
- 75% of infusion pumps studied had at least one vulnerability or threw up at least one security alert.
- Imaging devices, such as X-Ray, MRI and CT scanners were particularly vulnerable, with 51% of all X-Ray machines exposed to high-severity Common Vulnerabilities and Exposures (CVE-2019-11687).
- 20% of common imaging devices were running an unsupported version of Windows.
- 44% of CT scanners and 31% of MRI machines were exposed to a high-severity CVE.
The volume of devices and their vulnerabilities are only the tip of the iceberg.
These modern medical devices are hard to protect for multiple reasons:
- Lack of visibility into unmanaged, connected medical devices impacts knowing the true attack surface.
- Unseen vulnerabilities, due to the lack of device context, exposes hospitals to unknown threats.
- Legacy security architectures (with flat networks and error-prone, manual methods to create security policies) can hinder compliance with regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA).
- Managing multiple-point security products creates complexity and security gaps.
Healthcare organizations need a comprehensive Zero Trust cybersecurity solution that can support their digital transformation journey, leading to better patient care outcomes while ensuring patient data privacy and regulatory compliance. Zero Trust is a cybersecurity strategy that eliminates implicit trust by continuously validating every stage of digital interaction. Rooted in the principle of 'never trust, always verify,' Zero Trust is designed to protect modern digital healthcare environments. The principle applies least privilege access controls and policies with continuous trust verification and monitoring device behavior to block zero-day attacks.
Only Palo Alto Networks gives you the most comprehensive and fastest way to Zero Trust security, so you can focus on providing the best patient care possible.
Building on our current proven IoT security technology and based on a Zero Trust approach to security, Palo Alto Networks has introduced Medical IoT Security that uses machine learning (ML) to give healthcare providers an IoT security product designed specifically for medical devices. The solution helps quickly discover and assess every device, easily segment and enforce least privilege access, and protect against known and unknown threats with simplified operations. Additionally, the new product enables healthcare providers to improve security and reduce vulnerabilities:
- Verify Network Segmentation: Visualize the entire map of connected devices and ensure each device is placed in its designated network segment. Proper network segmentation can ensure a device only communicates with authorized systems.
- Automate Security Responses Based on Rules: Create policy rules that watch devices for behavioral anomalies and automatically trigger appropriate responses. For example, if a medical device typically only sends small amounts of data at night and suddenly begins to use a lot of bandwidth, the predefined rule can automatically cut off device connectivity from the internet and alert the security teams.
- Automate Zero Trust Best Practice Policies and Enforcement: Enforce recommended least privilege access policies for devices on supported enforcement technologies with one click. This eliminates error-prone and time-consuming manual policy creation and scales easily across a set of devices with the same profile.
- Understand Device Vulnerabilities and Risk Posture: Get immediate insights into the risk posture of each device, including end-of-life status, FDA recall notification, default password alert and unauthorized external website communication, MDS2, CVEs, behavior anomalies, Unit42 Threat Research and more. Additionally access each medical device’s Software Bill of Materials (SBOM) and map them to Common Vulnerability Exposures (CVEs). This mapping helps identify the software libraries used on medical devices and any associated vulnerabilities.
- Improve Compliance: Easily understand medical device vulnerabilities, patch status and security settings, then get recommendations to bring devices into compliance with rules and guidelines, such as the Health Insurance Portability Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and similar laws and regulations.
- Simplify Operations: Two distinct dashboards allow IT and biomedical engineering teams to each see the information critical to their roles. Integration with existing healthcare information management systems, like AIMS and Epic Systems, help automate workflows.
- Meet with Data Residency Requirements: Medical IoT Security makes it easier for our customers in the US, Germany, Singapore, Japan and Australia to adopt IoT Security with local cloud hosting. The regional Medical IoT Security service availability ensures that the local data residency and localization needs, such as GDPR, are met.
Actionable Guidelines Provided with Medical IoT Security
As the healthcare industry transforms itself to serve patients better, connected medical devices will continue to grow. Medical IoT Security, based on a robust Zero Trust framework, allows the industry to safely use connected clinical devices by providing actionable guidelines for securing their entire lifecycle. Medical IoT Security provides visibility, risk and action, allowing healthcare systems to achieve Zero Trust for all connected medical devices and applications.
To learn more about Medical IoT Security, read our white paper, The Right Approach to Zero Trust for Medical IoT Devices.