by Jeremy Linden, Asimily

Cyberattacks against healthcare providers are increasing, with a rapid increase seen during the pandemic and a further rise of 94% in 2022. As more of these devices become connected to the network, attacks that may have once been costly could now turn deadly. Independent service organizations (ISOs) have an important role to play in keeping the Internet of Medical Things (IoMT) secure as they become more conversant in medical device-specific cybersecurity. This article attempts to bridge that gap and offer a framework that is essential to contribute to the shared responsibility of keeping IoMT safe and reliable.

The basic functionality one needs to cover the bare bones of modern IoMT security falls into three major categories.  

Passive Network Monitoring

Attempting to roll your own IoMT security program can be a daunting task for anyone. Thankfully, modern security solutions designed to manage connected medical devices can make the job much easier. These solutions are typically referred to as “passive network monitoring” solutions because they are installed on the network and passively observe medical device traffic. This is substantially safer than traditional vulnerability management solutions that rely on “active scanning,” which can cause a medical device to malfunction in the field. The behavior of medical devices when scanned is not known or planned for by device manufacturers, putting clinical outcomes at risk.

The safest solutions use passive observation to fingerprint each device, including the manufacturer, model, and version, as well as identifying information about the individual device such as its serial number and IP address. Passive observation is crucial to inventory every device.  This saves time and makes it more efficient than manually inventorying floor-to-floor. With a valid, current inventory, the solution can identify vulnerabilities or threats present on the devices for prioritization and remediation.

In many cases, these solutions have the ability to integrate with modern computerized maintenance management system (CMMS) solutions. This can reduce the manual effort ISOs spend updating the CMMS by automatically keeping it up-to-date whenever the device changes its configuration, moves to a different location, or gets a software update. Centralizing customers on a single CMMS and network monitoring solution enables ISOs to free up analyst time for more leveraged activities.

Vulnerability Management

Perhaps no topic is more critical to securing IoMT devices than vulnerability management. But what is vulnerability management, exactly? Vulnerability management is the practice of continuously prioritizing and remediating vulnerabilities that might affect health care delivery. Vulnerabilities are flaws in the medical device/system (hardware, software or both) that could allow an attacker to compromise it. Compromise could result in abnormal behavior, protected health information (PHI) exposure, or worse — harm to patient safety.

Thankfully for health care providers, most medical device vulnerabilities do not pose a realistic threat. Many vulnerabilities detected by traditional security tools are on platform components like the operating system. Because these components are generally used differently in a medical device than in a traditional computer, many vulnerabilities are not actually exploitable in the real-world environment of care.

As an ISO, you may be asked to help remediate your customers’ vulnerabilities. It’s important to take a holistic approach rather than going down a laundry list of vulnerabilities to fix each one. This will be a frustrating process and in most cases, and may not result in fixing the most critical vulnerabilities. Instead, look to prioritize remediation by both the likelihood of exploitation and the impact of a breach on the specific device in question. That impact can be to patient safety, data privacy, or business continuity. For example, it’s generally more important to fix a vulnerability on a device that’s being used for critical patient care or handles PHI than on devices that aren’t as critical. 

The most common failure mode for remediating vulnerabilities is an overreliance on patching or microsegmentation. Patching is often not possible for medical devices, and the increased networking investment required for segmentation is not always possible for all organizations. You can save a lot of time and effort by exploring workarounds and other configuration or behavioral changes – for example, turning off a vulnerable service on a device – that reduce or even eliminate the risk of a vulnerability, even if patches are not available. 

When selecting a passive network monitoring solution, it’s important to keep in mind the optimal vulnerability management process described. Look for a solution that prioritizes devices in an evidence-based manner and recommends efficient remediation methods rather than showing a laundry list of vulnerabilities and solely focusing on patching or segmentation. This will prove much easier to operationalize and integrate into a holistic IoMT security program.

Pre-Procurement Risk Assessments

Finally, many HDOs are starting to turn to ISOs to advise them on security risks of purchasing new IoMT devices. This is an important leverage point in the cycle as it is always easiest to prevent a security problem by not creating it in the first place. While there are many ways to conduct these assessments, it’s important not to let this become a “compliance theater” exercise consisting of filling out lengthy forms with the manufacturer. 

Nix the paperwork exercise and instead implement a more effective process, drawing upon real-world information. This can include past security history from the manufacturer, such as any past record of serious security issues or checking whether vulnerabilities are patched expediently. It is now possible in many cases to draw upon data sources showing a device’s actual performance in the field, including what vulnerabilities or threats are detected during actual usage. While these approaches might require some upfront effort, the investment will pay off in actionable insights that help improve IoMT security posture, and reduce tedious paperwork. 

Conclusion

Three things to remember when thinking about providing IoMT security services or assistance to customers:

  1. Passive network monitoring solutions can streamline and automate much of inventorying and vulnerability management, and is a good investment for hospitals, regardless of their size.
  2. Prioritize vulnerabilities by evaluating the likelihood and the impact of the affected device, and take a holistic approach rather than overly focusing on patching or segmentation.
  3. Pre-procurement risk assessments can reduce a lot of headaches from acquiring inherently insecure devices, but beware of compliance theater methods that give few actionable insights.

Asimily will be discussing these topics and more at the upcoming IAMERS meeting in Charleston.  We hope to see you there. If any ISOs have questions about IoMT security, we are always happy to provide advice to the industry; you can reach us at [email protected]

 

Jeremy Linden is Sr. Director, Product Management at Asimily. He has over 15 years of experience in the cybersecurity industry as a product manager, engineer, and security analyst. Prior to Asimily, he led product management at Expanse, where he built pioneering external attack surface management products Expander and Behavior. Before Expanse, he led product management for security analytics and threat intelligence at OpenDNS, where he owned the Umbrella Investigate threat intelligence product. He has prior experience at Lookout, Arbor Networks, and other pioneering security companies.