Most of us associate the emergence of IoT with smart bulbs and home security systems. Yet, it’s made the greatest impact on healthcare. Thanks to the Internet of Medical Things or IoMT, healthcare professionals have access to an unprecedented amount of quality information. It helps them diagnose and treat patients more quickly and accurately.
What cybersecurity challenges does IoMT bring, though? How does it make existing systems more vulnerable? What should healthcare institutions do to balance IoMT’s benefits with effective cybersecurity? Find out all the answers below.
What Contributes to IoMT’s Lackluster Security?
IoMT devices have become a cornerstone of diagnosis, treatment, and monitoring. They routinely outnumber the number of beds in a hospital. All connect to the internet or the hospital’s internal network to relay and analyze information. It’s alarming that, according to a study by Cynerio, more than half of these devices have at least one serious security vulnerability.
Lack of any authentication is among the worst offenders. Devices like heart monitors or temperature sensors lack the hardware and software to implement authentication. That means anyone with access to a computer they’re connected to may view or even alter their output.
IoMT is a thriving industry, and new devices are constantly emerging. Since the category is so broad and numerous companies are involved, there’s no unifying standard regarding security or connection protocols.
For example, some things might connect via Bluetooth Low Energy, while others use radio waves. Each connection method comes with distinct cybersecurity shortcomings. This broadens the attack area and makes securing endpoints more challenging.
The impact of legacy systems
Reliance on outdated hardware and software was a long-standing vulnerability even before IoMT became ubiquitous. Many hospitals run 10+ year-old hardware with operating systems that may be twice as old. Long-term support for such systems usually doesn’t exist. That means newly discovered security flaws never get patched.
It’s easy enough to hijack most IoMT devices and try to gain network access through them. Modern hardware running up-to-date operating systems is less susceptible to such attacks. Meanwhile, successfully taking control of an IV pump connected to an outdated system can expose its entire contents.
What Are the Consequences?
IoMT improves patient comfort and leads to more accurate diagnoses. It also makes medical IT infrastructure more vulnerable. Data breaches in the business world result in “only” financial and reputation damage. Consequences in the medical field can literally be life-threatening.
IoMT devices create, collect, and analyze an unprecedented amount of medical data. It comes packaged with a patient’s general Personally Identifiable information, making it doubly attractive to criminals.
More disconcerting is hackers’ ability to intercept and even change information in real-time. For example, someone could tap into a GPS sensor used for patient monitoring and know exactly where a patient is at the moment. Even worse, they could alter the readings of something like a compromised heart monitor. This may prompt doctors to adjust a patient’s medication and endanger their life.
Ransomware isn’t as immediately horrific, but it can be more devastating in the long run. Cybercriminals may use IoMT vulnerabilities to access and lock down crucial parts of a hospital’s network. They then demand a ransom, usually paid in cryptocurrency, to release their hold.
Such attacks don’t have a high success rate in finance and business. However, medical institutions can’t afford to not pay due to the disruption such downtime would bring to their patient-saving efforts. Indeed, the healthcare industry is among the most affected by ransomware and other malware attacks. The number of incidents keeps growing annually.
How to Reduce IoMT Risks?
With IoMT maturing and becoming integral to overall medical infrastructure, there’s a growing awareness of a need for more adequate cybersecurity improvements. These account for IoMT’s vulnerabilities, resulting in more efficient and secure medical services.
Developing a security-focused infrastructure
Tacking IoMT devices onto an obsolete IT framework is a recipe for long-term vulnerability and constantly having to put out fires. Ideally, the infrastructure should be built from the ground up with specific IoMT cybersecurity needs in mind.
If that’s not feasible, replacing the most outdated hardware and software with modern equivalents helps. The new hardware should come with long-term support and firmware that’s easy to update. Any software, as well as connected IoMT devices, should be configured to receive automatic updates.
Reinforced authentication procedures
A lack of computing power doesn’t mean IoMT devices lack authentication capabilities. Serial numbers and MAC addresses can identify unique devices connected to a network. Moreover, any communication between them and the server or network should be encrypted to prevent misuse, even if someone intercepts it.
When applicable, passwords need to be complex and unique to be a viable security measure. It’s best to reinforce them with multi-factor authentication like one-time access codes or biometric readings. Medical institutions should also think about all the other tools that are becoming the new norm, like VPNs suitable for multiple devices.
Network segmentation and least-privilege access
The best way of handling devices that are tricky to secure is to ensure they offer limited access.
Segmentation is breaking a network up into smaller sections. Each section is easier to secure and monitor, allowing for faster security responses. The principle of least privilege ensures connected devices can’t be used as gateways to other parts of the network. A temperature sensor that can only transmit its findings but can’t access any other systems is a good example.
Conclusion
We have barely begun to experience what the Internet of Medical Things can accomplish for a healthier humankind. AI and machine learning will undoubtedly play a greater role in its development, too. Healthcare and cybersecurity professionals will have to devise new ways of addressing the challenges that are sure to follow.
