Best Practices in IoMT Security
The Internet of Medical Things (IoMT) is fast becoming essential throughout the healthcare industry — but these smart devices can pose major security risks.
As the Internet of Things (IoT) grows in popularity, the healthcare industry has taken notice. To gain cost efficiencies and save patient lives, healthcare companies are tapping into the Internet of Medical Things (IoMT) — and their role as a major player in the smart device market will only continue to grow.
But doctors may soon need to worry about computer viruses as much as human ones, as the IoMT can leave medical operations and patient records vulnerable to cybercrime. In this context network security is more necessary than ever, in order to protect both livelihoods and lives.
The Growing Internet of (Medical) Things
The vast potential for powerful IoT applications within the healthcare space has long been recognized. Hospitals, health centers, and even home care have become ecosystems in which IoMT devices can not only perform critical care functions, but also capture and deliver data-driven insights to doctors and decision-makers who can take action.
Comprised of wearable devices, implants, monitors, digital assistants, admin support, and personnel management tools, the Internet of Medical Things connects across the entire span of healthcare operations. Researchers have suggested that medicine will become the biggest market for IoT by 2020, with 40% of all devices designed for health. Not just a large slice of a small pie, an estimated 7 billion IoT devices were in use globally in 2018, a number which is likely to increase to 22 billion by 2025.
Healthcare Applications for IoMT
Healthcare organizations are rapidly getting on board with IoMT, as Frost and Sullivan estimates that 60% have implemented devices as of 2017. The use of connected healthcare devices is already showing clear benefits throughout the industry.
IoMT is enabling some exciting breakthroughs in patient care. For example, devices like the “smart belt” can detects falls for elderly patients, preventing injury or illness. We’ve also witnessed innovative treatments for existing conditions, like a neuromodulation device that can relieve chronic pain through nerve stimulation. Remote devices are also being used to monitor patients during self-administered care, and can provide reminders and critical information instantaneously.
The IoMT has also shown the potential to improve doctor-patient communications (and thus health outcomes). With data-driven insights, devices can help doctors make more accurate diagnoses, prescribe better treatments, and flag potential complications before they occur. In some care settings, these smart devices are being used to keep tabs on crucial medical devices to prevent equipment failure.
Overall, the IoMT has the potential to be a big cost-saver for hospitals, bringing costs down, and profits up. If implemented correctly, IoMT solutions could cut down on inefficient practices, while providing for a better patient experience. When the Mt. Sinai Medical Center for New York began using IoMT to manage patient flow, for instance, they reduced wait times for half of ER patients. Hospitals could be looking at major innovations in all areas, from logistics and operations to disease management and cutting-edge treatment options.
IoMT Demands Better Security Practices
The FDA estimates that of every 1,000 IoT devices in use, 164 are subject to attacks. As hospitals discover more and more applications for the IoMT, many are beginning to add devices that may actually be putting their operations — and even patient lives — at risk.
Produced by a wide range of manufacturers, many IoMT devices are not optimized for hospital network security. Industry standards and FDA guidelines are falling behind the times, while only about 17% of medical manufacturers are taking steps to prevent attacks. This means that security features in IoMT devices are inconsistent at best. It’s not uncommon to find devices that have unencrypted communications, weak or nonexistent password protection, or a setup that makes it impossible to patch the device for enhanced security.
IoMT can pose threats to both individual patients and to the hospital system as a whole. In 2017, 465,000 pacemakers were recalled when it was realized the devices could be hacked, putting lives at risk. At the same time, over 95% of healthcare institutions have at some time been targeted. One 2015 estimate by the Health and Human Services Office of Civil Rights suggested that 112 million health records had been breached or compromised that year.
Cybersecurity breaches in the healthcare industry already incurs losses of roughly $5.5 billion a year, as patients sue for the violation of their HIPAA patient privacy protections. Most providers remain vulnerable, and weak security practices are common. In a busy hospital setting, for instance, smart objects may be used without proper setup or left unattended; doctors may bring in devices that have not been approved by the IT team. Private data is often left vulnerable when transferred to the cloud.
Smart devices are bound to be popular vectors for hacking into hospital networks, due to their relatively poor security posture. Once a hacker has gained access to a device, the damage spreads quickly. Just as smart-car manufacturers worry about a hacker taking control of the steering wheel, hospitals must defend carefully against the potential for hackers to take control of the IoMT devices responsible for the lives of their patients.
How to Protect Patients When Using IoMT
While the benefits of the IoMT cannot be ignored, neither can hospitals neglect to address the substantial security threat these devices pose to their operations. By following this list of best practices in IoMT security, even hospitals that have already begun to deploy large IoMT solutions can protect against worst-case scenarios moving forward:
- Vet your vendors. Build relationships with manufacturers that have demonstrated a commitment to security at every level — you don’t want a device that essentially comes pre-installed with a virus.
- Maintain security criteria. You’ll want to decide on basic security features that every product must have. Does the device have patching capability? Is it password protected?
- Collaborate across departments. The biomedical team may be choosing devices, but it’s the IT team that ends up securing those devices later on. Collaboration is key.
- Determine the scope of your system. Take inventory of the devices you do have, determine their vulnerabilities, and figure out how to protect, or replace, any problem items.
- Train the users. Doctors, nurses, administrators, and even patients should receive regular trainings on how to use IoMT devices without putting the hospital patients at risk. That means, among other things, never leaving devices unattended.
- Talk to IT professionals to protect your network. Although IoMT devices will need to interact with your network, that shouldn’t mean they have free rein. It’s time to segment your network and have a plan in place to detect anomalies, and limit the damage from any attacks that do happen.
If you are serious about protecting your healthcare organization and your patients, it’s time to contact a managed services provider who can provide the cybersecurity insights you need. Turn-key Technologies has over two decades of experience in assessing, upgrading, and protecting networks, with a focus on best practices in cybersecurity. IoMT devices offer many benefits, but when it comes to implementation, it’s better to do a secure rollout rather than a rushed one.
By Craig Badrick