Medical IoT Facts

Source: FBI Alert I-101717a-PSA

  • The number of medical IoT devices is projected to grow to 50 billion in 2020.
  • Deficient security capabilities, legacy operating systems, difficulties in patching vulnerabilities and a lack of security awareness are significant risks to both medical IoT devices themselves and the networks to which they connect.
  • Unsecure or poorly secured medical IoT devices can leave networks open to Distributed Denial of Service (DDoS) attacks.

Dept. of Homeland Security issued 30 advisories about cybersecurity vulnerabilities in medical IoT devices

The FDA is the only federal government agency responsible for the cybersecurity of medical IoT devices.The FDA works closely with other federal government agencies, such as the U.S. Department of Homeland Security (DHS), but also works with members of the private sector, medical IoT device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of critical cyber infrastructure.
Medical IoT device manufacturers can’t update medical IoT devices for cybersecurity.Medical IoT device manufacturers can always update a medical IoT device for cybersecurity. In fact, the FDA does not typically need to review medical IoT device updates implemented solely to strengthen cybersecurity.
The FDA tests medical IoT devices for cybersecurity.The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical IoT product manufacturer.
  • Disruption of patient care
  • Loss of Protected Health Information (PHI) and Personally Identifiable Information (PII)
  • Loss of revenue

Medical IoT Cybersecurity Readiness

The ecfirst medical IoT Cybersecurity Report includes an Asset Inventory, which identifies specific medical IoT device information such as:

  • IP Address
  • Hostname (if resolvable or successfully authenticated)
  • Operating System (if discoverable or successfully authenticated)
  • Open Ports
    • Potentially Active Services
  • Installed Software
  • Explosion of medical IoT devices increases pressure for significantly improved cyber defense against incursions that threaten patients and cause costly disruptions

    Number of medical IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones

Medical IoT devices typically run legacy operating system with known vulnerabilities waiting to be exploited

Medical IoT Cybersecurity Checklist

Cybersecurity Framework

Determine the cybersecurity framework that will establish the foundation for your security program requirements for medical IoT devices.


Develop a cybersecurity policy specific to medical IoT devices. Ensure the policy is reviewed by associated and impacted departments/business units, approved by senior leadership, and communicated to the workforce.

Security Risk Assessment

Ensure medical IoT devices are within the scope of enterprise cybersecurity risk assessment exercises. Perform a vulnerability assessment to determine medical IoT device security gaps. Examine the security architecture and identify opportunities to possibly segregate medical IoT devices (i.e. determine application of segregation for medical IoT devices).

Business Associate Agreements (BAA)

Review third-party vendors (business associates) and their security practices to ensure HIPAA, FDA, and other mandates are appropriately addressed.

Configuration Management

Ensure each type of medical IoT device is configured consistently, and addresses the appropriate security capabilities to secure PHI and PII.


Examine options to encrypt PHI and PII stored, processed or transmitted by medical IoT devices.

Risk Management

Based on the findings of the risk assessment, establish a plan for risk management of medical IoT devices. Ensure formal remediation is performed on a regular schedule (e.g. monthly).

Asset management of medical IoT devices is typically incomplete

60% of medical IoT devices are at end-of-life stage, with no patches or upgrades available

Medical IoT devices in use by hospitals and other healthcare organizations average 20+ years of use per device, making them prime hacker targets

Gartner predicts that by 2020, more than 25% of cyberattacks in healthcare delivery organizations will involve the IoT


  • Lack of medical IoT devices cybersecurity = patient safety risk
  • Lack of medical IoT devices cybersecurity = disruptive business risk

Every hospital and health system must improve its cyber capabilities to monitor and manage medical IoT devices to ensure patient life is not threatened and healthcare operations are not disrupted.


AI-based Culinda provides deeper visibility and integrated capabilities to mitigate by continuously monitoring and managing medical IoT devices.

Healthcare organizations typically have minimal visibility into managing and monitoring medical IoT devices.
15-20 connected medical IoT devices in a typical hospital room, and an average of 6.2 vulnerabilities on each medical IoT devices.

Training & Certification

  • Examine and build a practical and applicable cybersecurity program for an organization. Step through core components of an actionable incident response plan.
  • Identify policies that reflect an organization’s priority for security in the areas of risk assessment, mobile devices, cloud computing, encryption, and more.
  • Study incident management and other checklist documents to establish consistency in monitoring enterprise security capabilities.

In the News

ecfirst, A HITRUST Authorized External Assessor, Achieves r2 Certification


TechConnect World Innovation, June 17 - 19, 2024

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.