Medical IoT
Medical IoT Facts

Medical IoT Facts

Source: FBI Alert I-101717a-PSA

  • The number of IoT devices is projected to grow to 50 billion in 2020.
  • Deficient security capabilities, legacy operating systems, difficulties in patching vulnerabilities and a lack of security awareness are significant risks to both medical IoT devices themselves and the networks to which they connect.
  • Medical IoT devices are a high security threat as they could be easily compromised in a Distributed Denial of Service (DDoS) attack.
Myth Fact
The FDA is the only federal government agency responsible for the cybersecurity of medical IoT devices. The FDA works closely with other federal government agencies, such as the U.S. Department of Homeland Security (DHS), but also works with members of the private sector, medical IoT device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of critical cyber infrastructure.
Medical IoT device manufacturers can’t update medical IoT devices for cybersecurity. Medical IoT device manufacturers can always update a medical IoT device for cybersecurity. In fact, the FDA does not typically need to review medical IoT device updates implemented solely to strengthen cybersecurity.
The FDA tests medical IoT devices for cybersecurity. The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical IoT product manufacturer.

Medical IoT
Myths & Facts

Medical IoT

Medical IoT Business Risks

  • Disruption of patient care
  • Loss of Protected Health Information (PHI) and Personally Identifiable Information (PII)

Medical IoT Devices

  • Pacemakers
  • Drug Pumps
  • Mobile Medical Systems
  • In-Home Monitors
  • Personal Fitness Devices
  • Medical Ventilators
  • Medical Monitors
  • Medical Imaging Machines
Medical IoT Devices
Securing Medical IoT Devices

Securing Medical IoT Devices

  • Equipment Management
  • Patch Management
  • Staff Security Training
  • Vulnerability Scanning
  • Risk Management
  • RFP Language to Include Security Features
  • Device Integration Test Lab

The ecfirst medical IoT and IoT Cybersecurity Report includes an Asset Inventory, which identifies specific medical IoT device information such as:

  • IP Address
  • Hostname (if resolvable or successfully authenticated)
  • Operating System (if discoverable or successfully authenticated)
  • Open Ports
    • Potentially Active Services
  • Installed Software
Medical IoT and IoT Cybersecurity Readiness

ecfirst Medical IoT Cybersecurity Checklist

  • Cybersecurity Framework Determine the cybersecurity framework that will establish the foundation for your security program requirements for medical IoT devices.
  • Policy Develop a cybersecurity policy specific to medical IoT devices. Ensure the policy is reviewed by associated and impacted departments/business units, approved by senior leadership, and communicated to the workforce.
  • Security Risk Assessment Ensure medical IoT devices are within the scope of enterprise cybersecurity risk assessment exercises. Perform a vulnerability assessment to determine medical IoT device security gaps. Examine the security architecture and identify opportunities to possibly segregate medical IoT devices (i.e. determine application of segregation for medical IoT devices).
  • Business Associate Agreements (BAA) Review third-party vendors (business associates) and their security practices to ensure HIPAA, FDA, and other mandates are appropriately addressed.
  • Patch Management Stress the importance of software updates; develop a formal policy and practice for patch management.
  • Configuration Management Ensure each type of medical IoT device is configured consistently, and addresses the appropriate security capabilities to secure PHI and PII.
  • Authenticate Review authentication options to access and configure medical IoT devices.
  • Encryption Examine options to encrypt PHI and PII stored, processed or transmitted by medical IoT devices.
  • Risk Management Based on the findings of the risk assessment, establish a plan for risk management of medical IoT devices. Ensure formal remediation is performed on a regular schedule (e.g. monthly).

Training & Certification

  • Examine and build a practical and applicable cybersecurity program for an organization. Step through core components of an actionable incident response plan.
  • Identify policies that reflect an organization’s priority for security in the areas of risk assessment, mobile devices, cloud computing, encryption, and more.
  • Study incident management and other checklist documents to establish consistency in monitoring enterprise security capabilities.
Medical IoT
Medical IoT
Training & Certification
ecfirst

Trusted by the industry with proven methodology and results

20

Years of experience

25,000+

People trained & certified
by ecfirst

1,000s

of Satisfied Customers

All 50

U.S. States with ecfirst Clients

5

Continents with ecfirst clients

ecfirst

In the News

Medical IoT Cybersecurity Solution: ecfirst Partners with Culinda!

Events

The Art of Active Cyber Defense, Featured Presentation by Ali Pabrai at Africa ISACA’s CACS Conference | Aug 19, 2019.

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CCSFP (HITRUST) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.