Study findings released in January 2022 uncovered 53% of the Internet of Things (IoT) devices used in the healthcare industry have “at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.” Further, research conducted by Forescout Research Labs identified 75% of entities in the healthcare industry are vulnerable to attacks through IoT devices.
On April 8, 2022, the U.S. Food and Drug Administration released draft cybersecurity guidance for medical devices, an update to guidance issued in 2014. The draft guidance addresses appropriate security architecture, including the implementation of the following security controls:
- Authentication
- Authorization
- Cryptography
- Code, Data, and Execution Integrity
- Confidentiality
- Event Detection and Logging
- Resiliency and Recovery
- Updatability and Patchability
There are many ways device users can align with these recommendations, mitigate and prepare against common vulnerabilities, and strengthen the security of the system architecture, including device reconfiguration, network segmentation, and data encryption. We’ll explore these later, but first….
What Is the IoMT?
IoT refers to smart devices capable of connecting, controlling, and sending data to other devices on the internet, allowing them to work independently with minimal human interface.
The Internet of Medical Things, or IoMT, refers to devices used specifically for healthcare purposes, such as “heart monitoring implants, infusion pumps that are used in hospitals to deliver a pre-programmed level of fluids into a patient…pacemakers, insulin pumps, and cochlear implants.” The technology used to operate IoT and IoMT devices can include infrared technology, Radio Frequency Identification (RFID), Near Field Communications (NFC), Bluetooth, Ultra-Wideband (UWB), Internet Protocol (IP), Wireless Fidelity (Wi-Fi), and other commonly known and used technologies. Each of these common technologies have vulnerabilities and known exploitable vectors, which can allow malicious individuals to access devices operating the technology.
IoT and the IoMT devices are configured via a layered system. Each of these layers can hold multiple vulnerabilities, allowing for multiple exploitable vectors:
Perception layer: This layer is lowest, where signal measurement and transmission can take place. It is the layer closest to the hardware Medium Access Control (MAC) layer.
Network layer: Similar to the OSI [Open Systems Interconnection] network layer, the Network layer is responsible for communication, interconnection, and transport of data packets among devices throughout the network.
Application layer: As the top layer in the three-layered IoT architecture, the Application layer corresponds to the corresponding session and application layer in the OSI model. This layer provides application and data control services. It can mostly be affected by the type of data traveling through the IoT network.
Because each layer is linked to the next, even if only one vulnerability exists on an individual layer, there is still the potential the device can be exploited. Likewise, devices may be connected to the same hospital network as other devices that store and transfer critical, confidential data, allowing for a link between devices. Because the smart system is allowed to communicate with other devices, this could allow for easily exploitable unchecked attack vectors.
IoT devices used for maintaining and operating facilities (e.g., badge readers, security cameras, HVAC systems, electricity, and other standard operational devices) generally are not equipped with the necessary security to meet HIPAA standards and keep out unauthorized individuals. For example, an HVAC system remotely controlled via a device on the network, such as a tablet or desktop, may have extended access, which could allow a bad actor to connect from device to device, ultimately accessing confidential patient information. Since IoT devices are capable of communicating with IoMT devices, the delivery of malware (such as ransomware), Distributed Denial of Service (DDoS) attacks, insider threats, and other data breaches is a credible threat to information security.
Risk Mitigation Strategies and Strengthening System Architecture
As noted earlier, there are several ways to align with FDA guidance to mitigate risks and ensure the strength of your system’s architecture, such as device reconfiguration, network segmentation, and data encryption. Let’s take a look at each of these strategies.
The first mitigation strategy involves device reconfiguration, which entails significant knowledge and manpower. According to an article published by Bitdefender, “The lack of security is often the result of the device manufacturer who may, understandably, not have the right priority, sense, or resources dedicated to ensuring the devices are secure.” As a result, to protect and mitigate the potential for attacks, one would have to reconfigure each device to ensure the proper security protocols and safeguards are in place. This may require the addition of antivirus, patch management, and other measures to protect against the vulnerabilities found among commonly used communication operation methods.
The second mitigation strategy is network segmentation, i.e., the process of dividing access and layering the distribution of direct access to data. This process can be accomplished in many ways, such as moving from a flat network (where access to the network allows for unchecked direct access to all parts of the network) to a layered access, or a segmented network. A segmented network with layered access should be operated on a “minimum necessary” basis requiring that access be requested and granted for each segment of the network. To achieve an effectively segmented network, all systems should be ranked via their mission-critical status. All devices identified to be of significant criticality should be segmented accordingly, disallowing unnecessary physical and technical access. This may include moving the physical location of equipment and/or moving necessary equipment to separate secured Wi-Fis.
The third safeguard against unauthorized malicious access is data encryption. Data can be encrypted when at rest (in storage) and when in transit (via email, for example). Using any number of encryption methods can ensure that, should the network or devices be compromised, malicious individuals will not be able to read and access the data held or transmitted via the compromised equipment.
These three mitigation processes require persistent monitoring and knowledge to identify vulnerabilities before they become attack vectors. An organization must have strategic plans for mitigation and the manpower to implement and manage any necessary changes. There are hundreds, if not thousands, of known vulnerabilities that remain unchecked due to a lack of implemented cybersecurity measures and support. Cybersecurity is a fluid operation that must continue to adapt to the ever-changing vulnerabilities and risks that emerge.
To stay in front of the ever-present cybersecurity risks, organizations must prioritize cybersecurity operations. PYA specializes in information technology (IT) security assessments and mitigation with our comprehensive risk management Overwatch ProgramTM. We partner with our clients to provide IT risk management, process assessments, and data governance. Our IT subject matter experts have the knowledge and experience to provide professional advisory services, compliance assessments, and audits. We can also assist in IT strategy and integration efforts.
If you would like assistance with cybersecurity risk mitigation and strategies, or any matter involving IT needs, one of our executives would be happy to assist. These executives can be reached via their contact information below, or by calling (800) 270-9629.
