What is IoMT Security?
The Internet of Things (IoT) can mean different “things” to different industries. Broadly speaking, any object or device connected over the internet and powered with the ability to collect, transfer and analyze data over a network can be labeled a “thing” in the emerging digital ecosystem known as IoT.
Narrowing it down specifically to the healthcare industry, any medical device that connects to a healthcare provider’s network is subclassified as the Internet of Medical Things (IoMT). These include but are not limited to medical imaging systems, remote patient monitoring (RPM) devices, smart thermometers, infusion pumps, medical device gateways, and biosensors packaged into wearables for use in apparel or implanted inside the human body.
IoMT Adoption Is Accelerating
IoMT has been consistently making its way into healthcare and promises a future where it will be not only prevalent, but also fully extended beyond the four walls of the clinic and hospital. So, what’s the key driver of this adoption?
The last few years have witnessed the healthcare industry’s journey toward digitization. The massive blow from the COVID-19 crisis has only served to hasten this jaunt, with more healthcare providers, medical device manufacturers and hospital systems realizing the crucial role of connected medical devices in enabling smart monitoring of patient health, providing timely care and saving lives.
While IoT is a business enabler in most industries, IoMT is essential for health delivery organizations (HDOs) as the devices are used in carrying out surgeries, monitoring patient health remotely and much more. IoMT use cases comprise data sharing, report monitoring, patient tracking, information collection and analysis, hygiene care, and preventive device maintenance, to name a few. Companies such as GE, Siemens, Philips and others have been using IoMT for remote diagnostics, predictive maintenance and performance upgrades to their medical imaging products. Some interesting examples of IoMT use cases that have emerged over the course of the past decade include:
In 2013, the Mount Sinai Medical Center in New York piloted a GE Healthcare program called AutoBed to manage patient flow, reducing wait times for 50% of ER patients in need of an inpatient bed by one hour.
In 2016, Oticon launched the world's first IoT hearing aid that connects to and interacts with the internet to sync directly with door bells, smoke detectors and baby alarms.
In 2017, Wisepill & Aeris introduced IoT-enabled smart pillboxes that monitor patient adherence and provide instant feedback.
In 2020, hospitals in Vancouver, Canada, installed Visionstate IoT buttons that send alerts to management for cleaning or maintenance issues that pose risks to public safety.
Also in 2020, amid the COVID-19 crisis, temperature readings from a million Kinsa Health connected thermometers enabled the company to map atypical fevers, offering a potential warning of increases in COVID-19 infections. Similarly, at a field hospital in Wuhan, China, patients and staff wore wearables synced with an AI platform called CloudMinds to continuously monitor body temperature, heart rate and blood oxygen levels.
IoMT is playing an undeniably useful role in helping manage the pandemic crisis. As one can see, it’s shaping the future of the medical world by improving timeliness and quality of care while reducing patient care complexities and costs – a business model that healthcare organizations (HCOs) find hard to resist.
Security Enables IoMT
With all that being said, one of the main drawbacks of IoT in healthcare is weak security. Most IoMT devices were not designed with security in mind, which makes them especially vulnerable to compromise. IoMT demands better security because, unlike other industries, a security breach in a healthcare network can quite literally become a matter of losing lives.
As hospital systems come across a broad range of relevant IoMT applications, many are adding on connected medical devices that put their healthcare operations – and patient lives – at risk. The proliferation of unmanaged and unaccounted IoMT devices, their disparate nature, lack of security by design, and dependence on unsupported operating systems, together with network and internet connectivity, considerably widens the attack surface. Recent advisories, like this one on a TrickBot ransomware campaign, identify healthcare as a prime target for attackers, heightening the concern around IoMT.
Any exploited vulnerability in IoMT enables cybercriminals to take a number of malicious actions, such as seizing control of the medical device; stealing sensitive patient health, personal and insurance data; stealing proprietary clinical records; obfuscating network traffic; disrupting healthcare delivery processes; and ransoming the device to turn a profit. In late 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released an alert warning healthcare organizations of serious vulnerabilities found in certain Medtronic MyCareLink (MCL) medical devices that could potentially impact patient data.
As damaging as these activities can be, they’re the tip of the iceberg. Cyberattacks aren't going anywhere and are bound to get more egregious as the world continues to grapple with the COVID-19 crisis. NIST and HHS have created guidance in an effort to shore up medical device security gaps. One of the positive outcomes of the guidelines was that medical device manufacturers have to disclose their devices’ security and privacy characteristics in a standardized “Manufacturer Disclosure Statement for Medical Device Security (MDS2)” form.
Healthcare organizations face an urgent need to tackle IoMT security challenges head on. The most basic step in securing IoMT begins with obtaining trusted visibility and classification of all IoMT devices across hospital networks, data centers, endpoints, remote clinics, mobile assets and cloud environments. By doing this, healthcare IT teams will be empowered to take a prevention-first instead of an alert-only approach to keeping medical devices safe from potential threats.
IoMT security needs to be taken seriously, making it vitally important for all healthcare security chiefs to develop and implement successful IoMT security strategies. A robust medical device security strategy can free up healthcare organizations from the worry of cyberattacks to focus on bringing about positive patient outcomes.