#HowTo: Approach IoMT Security and Risk Management

Written by

Healthcare CSOs and security teams tasked with safeguarding internet of medical things (IoMT) devices and equipment will find themselves up against more challenges than their security counterparts working in other industries. Understanding why that is – and then developing a strategy specific to web-connected medical devices – is key to reducing risk.

When it comes to the step-by-step device vulnerability management process of identifying, classifying, prioritizing, remediating and mitigating issues, the IoMT brings more significant obstacles across each stage. Whereas industrial or commercial implementations often utilize many of the same IoT sensors or devices across their environment, a typical IoMT environment includes a much more vast, heterogeneous mix of technologies (a mix that almost always includes legacy solutions).

Simply scanning devices to identify issues is not an option. Many legacy IoMT devices cannot tolerate a scan and will crash. Classification and prioritization are also more challenging because IoMT device manufacturers publish an average of 2000-3000 vulnerabilities monthly. A good manufacturer patches only about 1 in 50 of their vulnerabilities. 

Knowing Which Vulnerabilities to Defend

While a security team can go mad trying to keep up with thousands of recognized vulnerabilities, the good news is that most known issues are not exploitable. Exploit analysis shows that in a given IoMT environment, 90% of vulnerabilities are not really a risk. 

Also, vulnerability risk is highly dependent on the specifics of the environment. This means teams need to do their exploit analysis on a per-environment basis. Risks depend on how an IoMT device is connected, what it connects to, its nearby ecosystem of devices and how it is used. Out of necessity, attackers will approach the same vulnerability differently depending on those environmental factors. Focusing security efforts on those key battlefields is a valuable best practice that too often gets ignored.

Healthcare security teams must also consider vulnerabilities in terms of attack chains. Not all IoMT targets represent risk themselves: many component devices have no data to steal or direct impact on patient health. However, exploits to those devices may offer a launch pad for accessing servers or broader healthcare systems.

IoMT Device Churn is High

Healthcare organizations run the spectrum in their focus on security, from those where the CSO is a key decision-maker to some that implement solutions without any consultation and leave security teams playing catch up. While businesses with a security-last mindset create issues across industries, healthcare organizations are particularly vulnerable because they tend to carry large IoMT inventories and churn 15% of their devices each year. The IoMT’s necessary propensity to require security leaders to take on challenges not accepted in other industries becomes all the more difficult when those teams must consistently address mitigation for myriad new devices – which often comes without warning.

IoMT Security Decisions Require More Holistic Input 

The stakes of IoMT security go beyond the conventional risks of data breaches and regulatory non-compliance. Security teams focus on preventing any catastrophic damage caused by cyber threats, including disruptions to patient care operations. A malfunction or interruption in device availability due to a network or device issue can be a patient safety risk. That responsibility is unparalleled in other IoT security sectors. 

Healthcare organizations must engage in comprehensive discussions involving their security leaders and clinicians to assess the full balance of factors, including the value a high-risk device might offer patients. Those discussions can result in the organization committing to riskier options and putting security teams into tougher positions because a device’s benefits outweigh the risks. For example, the life-saving ECMO machines, essential during the pandemic, represent a technology that organizations absolutely would not forego, regardless of their security postures. Similarly, NICU cameras are often quite security-vulnerable but provide the necessary service of enabling new parents to see their infants. Faced with these IoMT-specific challenges, security teams must often devise mitigation strategies to make high-risk devices or assets as low-risk as possible.

IoMT Requires Curious, Collaborative Security Leaders

The IoMT includes so many nuanced medical devices, so much emerging security technology, and such rapidly evolving threats that keeping up with it all is a challenge in itself. CSOs and security leaders must maintain a keen curiosity and interest to understand the impact of new developments, but they cannot expect to build the needed knowledge base alone. They must instead act as collaborative facilitators that absorb and transmit knowledge from the experts across their team. And they must be ready to convince other stakeholders of the ROI associated with robust IoMT security.

What’s hot on Infosecurity Magazine?