Why IoT security isn’t enough for IoMT

September 25, 2018
By Jonathan Langer

The connected medical device market is on a growth trajectory with more than 3.5 million medical devices in use today. From a security perspective, this translates to 3.5 million network connections that hackers can take advantage of to access sensitive patient information or worse, attack individual patients.

As the Internet of Medical Things (IoMT) landscape continues on this path, vendors adept at securing general Internet of Things (IoT) devices in operations, asset management, smart grids and consumer products are offering solution packages to protect connected medical devices.

But these devices present unique security challenges that require clinical context to ensure the full visibility needed to meet them, and these general IoT vendors lack the foundational background in healthcare necessary for true IoMT security. Providers should not only be able to see that there are devices connected to their network, they also must be able to identify each connected device with great granularity (including manufacturer protocols) and have up-to-date information on risk ranking, device utilization, software maintenance and compliance data.

Medical devices aren’t printers and they shouldn’t be treated as such
Generally, provider networks look like any other organization’s network. Network managers armed with a variety of security and management tools safeguard the hospital or health system from potential breaches. Devices are organized by category – printers, mobile devices, equipment, etc. – to effectively and efficiently maintain network security, each having a specific set of rules and configurations according to industry best practices. Anything out of the ordinary requires remediation.

The primary function of medical devices is what separates them from the rest as they play a more direct role in aiding and improving patient care. Think of patient-centered devices connected to a hospital’s network – their purpose covers anything from measuring patient vitals, to delivering an accurate diagnostic picture for clinical decision guidance, to playing a pivotal clinical role with a direct impact on patient care. This also means they pose an array of different security risks, starting with the distinct differences between each device. Logically, this unique category of devices requires a more specialized set of rules and configurations designed to ensure a secure connection per device.

From imaging machines to blood pressure monitors, to ventilators and surgical equipment, each medical device either provides hackers a way into a hospital’s network or, worst case scenario, enables manipulation at the patient level unless properly secured. Without a solution that can fingerprint every medical device, detect anomalies at a device level based on manufacturer protocols and prioritize threats based on clinical workflows, adequate device security would require staffing that most hospital and health systems do not have. Each of these medical devices requires their own maintenance and remediation schedule, patches and operating systems need to be updated continually and obsolete devices need to be identified and removed from the network.

Medical devices may live on the network but they’re part of the biomed ecosystem
Not only are providers dealing with thousands of devices, but most medical devices are purchased and maintained by biomedical engineers, not IS or IT. The hospital or health system is in control of when and how often these two departments actually meet to connect on device purchasing and ongoing management. Regardless, each device is purchased in the interest of patient health, with the ultimate purpose of driving better overall care, which necessitates an understanding of its level of security when making a final purchasing decision. The underlying assumption is that the device and its network connection will be secure, and the network manager will oversee the actual device’s status for ongoing maintenance and monitoring.

Once purchased, the network manager is tasked with configuring and managing the device to ensure it works properly and is not an entry point for hackers looking to breach the network. The end goal is to ensure the device causes no harm to patient(s) or the hospital’s network. This is not an easy task for those dependent upon an IoT security solution that cannot properly identify and comprehend device-specific protocols, communications and behaviors required to both run efficiently and detect anomalies or suspicious activity.

A security solution solely focused on medical devices will provide peace of mind for the biomed engineers, while also ensuring ease of use for those in the IS and IT departments.

A bonus beyond security — real asset tracking and utilization
Proper medical device security requires knowing each connected device inside and out at any given time. This includes maintenance schedules, software upgrades, patches and location, as well as whether a new model has been released to ensure physical hardware is appropriately current. Every year, millions of dollars in hospital equipment is underutilized or goes missing – from MR machines to defibrillators – and they’re not always stolen. IS and IT need a security solution that is in constant contact with medical devices to ensure total visibility. In addition to finding missing equipment, they will be able to guard against potential breaches, with the ability to disconnect obsolete devices from the network.

Without a tool that reacts specifically to the distinct nuances of each medical device, it is impossible to properly protect and secure IoMT devices connected to a hospital’s network. Just as an auto repairman is not equipped to fix an ailing heart, hospitals and health systems should not depend on generic IoT solutions that require more effort than necessary and lack the context required to ensure proper IoMT security.

Jonathan Langer
About the author: Jonathan Langer is co-founder and CEO of Medigate, a dedicated medical device security platform protecting all connected medical devices on healthcare provider networks. Since Medigate’s inception in 2017, Jonathan has been working to advance the company’s evolution and leadership in the Internet of Medical Things (IoMT) and medical cybersecurity markets. His focus is on overseeing business growth, research and development, and product management. Jonathan and the Medigate team are working to transform the company into an invaluable partner of healthcare networks, providing the best medical device security, which can only come from true collaboration.