The healthcare industry is experiencing a transformative shift towards "Healthcare 4.0,” driven by technologies like cloud, 5G, AI/ML, blockchain, IoMT, and more. This transformation will benefit patients with convenient and fast remote diagnosis and disease-prevention advice both in the hospital and remotely in their homes. The IoMT and other emerging technologies will play a transformational role in modernizing healthcare networks and care delivery. These technologies power smart medical devices connected through communications mediums (Wi-Fi, Bluetooth, internet-to-cloud server, and mobile applications) that exchange sensitive patient medical data and personal details with a central location. The IoMT combines the digital and physical worlds to improve the speed and accuracy of diagnosis, treatments, and real-time monitoring.

Amid numerous benefits, IoMT-driven modernization also brings new challenges to hospital Chief Information Security Officers (CISOs). Hospitals are full of networked medical devices that are now a target of various security threats. Health systems need to prioritize addressing the evolving threats that these connected devices pose. 

Understanding the Unique Threat Landscape

A typical healthcare organization or hospital may have 20,000 or more connected devices, including IT, IoMT, IoT, and OT devices. In hospitals, Wi-Fi access is free for guest users. The guest might connect to the same hospital network to which critical medical devices are connected (in case of a flat network), potentially opening access to cyber criminals. The most common threats that IoMT devices introduce include ransomware, intentional data theft (including protected health information), attacks against the network, and tampering with devices to alter medical data that might impact patient health. Cybercriminal groups can also turn weak hospital networks into money-making machines (for example, through crypto mining). Attackers are becoming increasingly clever at scanning the internet to find vulnerable systems (including hospital networks and medical devices) that are ripe for exploitation.   

Why Cybersecurity is Lacking in the IoMT Landscape

With so many different networked-enabled devices in a hospital, it has been challenging to address cybersecurity. These heterogeneous IoMT devices are sometimes managed and sometimes unmanaged, often running an outdated OS, using old browsers, and connecting over wired or wireless networks. Some devices have insecure protocols and default credentials. Medical devices that use default credentials are weak links in the network. These devices exchange data over both propriety and insecure protocols, and both within and outside the network.

Many healthcare facilities have weak patch management deployments. IoT medical devices often have static credentials (difficult to change), no encrypted communications, open ports, unknown services, and proprietary firmware. More issues arise due to a lack of identification and management of vulnerabilities. Installing security-enhancing agents on unmanaged devices is difficult due to device constraints like low memory, proprietary operating systems, and protocols. Existing IT-based vulnerability scanning tools that perform active scanning are often not supported by these devices. Some devices also use non-standard protocols, making it challenging to identify vulnerabilities within the devices.

Proven Mitigation Strategies for Healthcare CISOs

Wipro has worked with many hospitals to develop cybersecurity strategies that secure IoMT healthcare networks and ensure HIPAA compliance. Key IoMT security strategies for hospitals include:

  1. Risk Assessment. Security stakeholders should scan the healthcare network posture against industry best practices and guidelines to identify gaps in IoMT cybersecurity policies, identify internet-exposed managed and unmanaged IoMT assets, and understand that most IoMT devices use static passwords (passwords that don’t change or are difficult to change), posing a distinct security risk.
  2. Network segmentation. Healthcare organizations must identify critical networks and create separate guest and hospital networks. Segmentation is a control strategy that impacts every component of a Zero Trust architecture. The segmentation approach should consider device classification based on function and vendor groups, user security (extended workforce, remote vendor support, business associates), sensitive patient medical data, and critical applications that save and sustain lives.
  3. Data security and privacy. Medical device gateways (which collect data from various devices) must be fully secured while generating (in use), storing (at rest), and transmitting (in transit). Organizations must restrict access to data to authorized stakeholders. There should also be a mechanism to detect any rogue device/gateway over the network.
  4. IoMT device hardening and remediation. Healthcare organizations should implement efficient password management, leveraging a patch management platform that enables proactive and automated password hardening, remediates default/weak passwords, automates enrolment in Privileged Access Management (PAM) tools, and schedules password rotations.
  5. Continuous threat and vulnerability identification platform. This platform should be completely passive and non-intrusive, providing complete asset visibility, classification, and identification of vulnerabilities. This platform should also monitor anomaly behavior and security.

Key Takeaways

Hospital systems have a daunting task ahead. Emerging technologies are progressing with speed and scale in functionality, benefits, and risks. Connected devices are more common than ever both in healthcare facilities and in patient homes. Any of these devices can pose a potential threat to the hospital and its patients. A comprehensive cybersecurity plan that extends from the device to the network with a secure data pipeline is essential. 

About the Author

Cybersecurity Strategies to Secure IoMT Healthcare Networks

Shyamkant Dhamke

Shyamkant Dhamke is a cybersecurity professional with over 23 years of experience in IoT/IoMT, OT/ICS security services, cyber-physical security, and application and data security across various industries, including Healthcare, Manufacturing, ENU, Banking, Telecom, and ENU. He leads a global IoT and OT/ICS security practice at Wipro and has been honored with Distinguished Member of Technical Staff (DMTS) at Wipro.