Medical IoT Facts

The number of medical IoT devices is projected to grow to 50 billion in 2020.
Deficient security capabilities, legacy operating systems, difficulties in patching vulnerabilities and a lack of security awareness are significant risks to both medical IoT devices themselves and the networks to which they connect.
Unsecure or poorly secured medical IoT devices can leave networks open to Distributed Denial of Service (DDoS) attacks.

Dept. of Homeland Security issued 30 advisories about cybersecurity vulnerabilities in medical IoT devices

Medical IoT Myths & Facts

Myth	Fact
The FDA is the only federal government agency responsible for the cybersecurity of medical IoT devices.	The FDA works closely with other federal government agencies, such as the U.S. Department of Homeland Security (DHS), but also works with members of the private sector, medical IoT device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of critical cyber infrastructure.
Medical IoT device manufacturers can’t update medical IoT devices for cybersecurity.	Medical IoT device manufacturers can always update a medical IoT device for cybersecurity. In fact, the FDA does not typically need to review medical IoT device updates implemented solely to strengthen cybersecurity.
The FDA tests medical IoT devices for cybersecurity.	The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical IoT product manufacturer.

Medical IoT Business Risks

Disruption of patient care
Loss of Protected Health Information (PHI) and Personally Identifiable Information (PII)
Loss of revenue

Medical IoT Cybersecurity Readiness

The ecfirst medical IoT Cybersecurity Report includes an Asset Inventory, which identifies specific medical IoT device information such as:

IP Address
Hostname (if resolvable or successfully authenticated)
Operating System (if discoverable or successfully authenticated)
Open Ports
- Potentially Active Services
Installed Software

Explosion of medical IoT devices increases pressure for significantly improved cyber defense against incursions that threaten patients and cause costly disruptions

Number of medical IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones

Medical IoT and IoT Cybersecurity Readiness

Medical IoT devices typically run legacy operating system with known vulnerabilities waiting to be exploited

Medical IoT Cybersecurity Checklist

Cybersecurity Framework Determine the cybersecurity framework that will establish the foundation for your security program requirements for medical IoT devices.
Policy Develop a cybersecurity policy specific to medical IoT devices. Ensure the policy is reviewed by associated and impacted departments/business units, approved by senior leadership, and communicated to the workforce.
Security Risk Assessment Ensure medical IoT devices are within the scope of enterprise cybersecurity risk assessment exercises. Perform a vulnerability assessment to determine medical IoT device security gaps. Examine the security architecture and identify opportunities to possibly segregate medical IoT devices (i.e. determine application of segregation for medical IoT devices).
Business Associate Agreements (BAA) Review third-party vendors (business associates) and their security practices to ensure HIPAA, FDA, and other mandates are appropriately addressed.
Configuration Management Ensure each type of medical IoT device is configured consistently, and addresses the appropriate security capabilities to secure PHI and PII.
Encryption Examine options to encrypt PHI and PII stored, processed or transmitted by medical IoT devices.
Risk Management Based on the findings of the risk assessment, establish a plan for risk management of medical IoT devices. Ensure formal remediation is performed on a regular schedule (e.g. monthly).

Asset management of medical IoT devices is typically incomplete

60% of medical IoT devices are at end-of-life stage, with no patches or upgrades available

Medical IoT devices in use by hospitals and other healthcare organizations average 20+ years of use per device, making them prime hacker targets

Gartner predicts that by 2020, more than 25% of cyberattacks in healthcare delivery organizations will involve the IoT

Bottomline

Healthcare organizations typically have minimal visibility into managing and monitoring medical IoT devices

Lack of medical IoT devices cybersecurity = patient safety risk
Lack of medical IoT devices cybersecurity = disruptive business risk

Challenge Every hospital and health system must improve its cyber capabilities to monitor and manage medical IoT devices to ensure patient life is not threatened and healthcare operations are not disrupted.

Solution AI-based Culinda provides deeper visibility and integrated capabilities to mitigate by continuously monitoring and managing medical IoT devices.

15-20 connected medical IoT devices in a typical hospital room, and an average of 6.2 vulnerabilities on each medical IoT devices

Training & Certification

Examine and build a practical and applicable cybersecurity program for an organization. Step through core components of an actionable incident response plan.
Identify policies that reflect an organization’s priority for security in the areas of risk assessment, mobile devices, cloud computing, encryption, and more.
Study incident management and other checklist documents to establish consistency in monitoring enterprise security capabilities.

In the News

Performed an Online Tracking Assessment? OCR Mandate for HIPAA Compliance, Webinar, April 24, 2024

Events

CMMC DAY, May 6, 2024

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.