Medical IoT Facts

The number of medical IoT devices is expected to rise significantly in the coming years, driven by advancements in healthcare technology and increasing demand for remote monitoring and personalized care. These devices, ranging from smartwatches to advanced insulin pumps, are transforming healthcare delivery.
Deficient security capabilities, legacy operating systems, difficulties in patching vulnerabilities and a lack of security awareness are significant risks to both medical IoT devices themselves and the networks to which they connect.
Unsecure or poorly secured medical IoT devices can leave networks open to Distributed Denial of Service (DDoS) attacks.

Dept. of Homeland Security issued 30 advisories about cybersecurity vulnerabilities in medical IoT devices

Medical IoT Myths & Facts

Myth	Fact
The FDA is the only federal government agency responsible for the cybersecurity of medical IoT devices.	The FDA works closely with other federal government agencies, such as the U.S. Department of Homeland Security (DHS), but also works with members of the private sector, medical IoT device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of critical cyber infrastructure.
Medical IoT device manufacturers can’t update medical IoT devices for cybersecurity.	Medical IoT device manufacturers can always update a medical IoT device for cybersecurity. In fact, the FDA does not typically need to review medical IoT device updates implemented solely to strengthen cybersecurity.
The FDA tests medical IoT devices for cybersecurity.	The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical IoT product manufacturer.

Medical IoT Business Risks

Disruption of patient care
Loss of Protected Health Information (PHI) and Personally Identifiable Information (PII)
Loss of revenue

Medical IoT Cybersecurity Services

Identify Medical IoT Devices Asset Management.
Categorize Medical IoT Devices.
Prioritize Medical IoT Device Cyber Risk.
Remediate Anomalies.
Assess Medical IoT Device HIPAA Compliance.
Policy Ensure Policy Developed to Appropriately Secure Devices.
Process Procedures Aligned with Policy to Ensure Consistent Configuration of Devices.
Evidence Implementation Verified to Validate Process for Securing IoT Devices.
Measure and Monitor Medical IoT Device Security Framework Effectiveness.

Readiness Assessment

The ecfirst medical IoT Cybersecurity Report includes an Asset Inventory, which identifies specific medical IoT device information such as:

IP Address
Hostname (if resolvable or successfully authenticated)
Operating System (if discoverable or successfully authenticated)
Open Ports
- Potentially Active Services
Installed Software

Explosion of medical IoT devices increases pressure for significantly improved cyber defense against incursions that threaten patients and cause costly disruptions

Number of medical IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones

Medical IoT and IoT Cybersecurity Readiness

Medical IoT devices typically run legacy operating system with known vulnerabilities waiting to be exploited

Medical IoT Cybersecurity Checklist

Cybersecurity Framework Determine the cybersecurity framework that will establish the foundation for your security program requirements for medical IoT devices.
Policy Develop a cybersecurity policy specific to medical IoT devices. Ensure the policy is reviewed by associated and impacted departments/business units, approved by senior leadership, and communicated to the workforce.
Security Risk Assessment Ensure medical IoT devices are within the scope of enterprise cybersecurity risk assessment exercises. Perform a vulnerability assessment to determine medical IoT device security gaps. Examine the security architecture and identify opportunities to possibly segregate medical IoT devices (i.e. determine application of segregation for medical IoT devices).
Business Associate Agreements (BAA) Review third-party vendors (business associates) and their security practices to ensure HIPAA, FDA, and other mandates are appropriately addressed.
Configuration Management Ensure each type of medical IoT device is configured consistently, and addresses the appropriate security capabilities to secure PHI and PII.
Encryption Examine options to encrypt PHI and PII stored, processed or transmitted by medical IoT devices.
Risk Management Based on the findings of the risk assessment, establish a plan for risk management of medical IoT devices. Ensure formal remediation is performed on a regular schedule (e.g. monthly).

Asset management of medical IoT devices is typically incomplete

60% of medical IoT devices are at end-of-life stage, with no patches or upgrades available

Medical IoT devices in use by hospitals and other healthcare organizations average 20+ years of use per device, making them prime hacker targets

Cyberattacks on operational technology in healthcare may threaten patient safety as vulnerabilities in medical devices and outdated equipment become key targets for hackers.

Bottomline

Healthcare organizations typically have minimal visibility into managing and monitoring medical IoT devices

Lack of medical IoT devices cybersecurity = patient safety risk
Lack of medical IoT devices cybersecurity = disruptive business risk

Challenge Every hospital and health system must improve its cyber capabilities to monitor and manage medical IoT devices to ensure patient life is not threatened and healthcare operations are not disrupted.

Solution AI-based Culinda provides deeper visibility and integrated capabilities to mitigate by continuously monitoring and managing medical IoT devices.

15-20 connected medical IoT devices in a typical hospital room, and an average of 6.2 vulnerabilities on each medical IoT devices

In the News

ecfirst Prepares to Launch CMMC Assessments as Final Rule Takes Effect

Events

CMMC Assessment Readiness Secrets, December 12, 2024

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.