Have you been to the hospital lately? If so, you’ve probably been attached to at least one medical device with at least some sort of internet access. According to Cisco, the average hospital room has, on average, 15-20 connected devices, with an average of 6.2 cybersecurity vulnerabilities between them.
It’s probably unsettling to know that cybercriminals are pretty interested in those devices. The healthcare industry is especially attractive to attackers, who are often after medical records and personally identifiable information (PII) belonging to patients. According to SANS, the healthcare sector has experienced more breaches than any other sector over the past 3 years. When you take into account the fact that the Internet of Things (IoT) is difficult to secure, that can seem like an unfortunate combination.
The Internet of Medical Things (IoMT) does have several common vulnerabilities, but fortunately, by knowing what those vulnerabilities are, you can secure your medical devices against attack.
What is the IoMT?
The Internet of Medical Things (IoMT) is a network of Internet-connected medical devices, infrastructure, hardware, and software used to connect healthcare information technology. IoMT technology takes many forms, such as remote temperature monitoring, sleep monitors, remote biometric scanners, blood glucose monitors, heart monitors, and even technology that reminds patients to refill their prescriptions.
If it connects to the Internet on its own and is used in healthcare, it’s part of the IoMT. Unfortunately, the IoMT is as prone to hacking and attacks as the regular Internet of Things (IoT).
The IoT tends to be vulnerable to attack for a few common reasons: IoT devices might be “smart” but they’re designed to do specific tasks well, and otherwise are limited; they don’t necessarily have the computational bandwidth for security functions, and that can be a problem when they’re connected to unsecured networks, or even to the same network as the rest of an organization’s infrastructure.
There are, however, specific vulnerabilities that tend to apply to the Internet of Medical Things.
Common vulnerabilities in the IoMT
1. A lack of a strong authentication process
Most technology requires a password, but the IoMT doesn’t typically require authentication for use. Think of a mobile heart monitor; it’s put on a patient and it simply starts recording their cardiac activity. A medical professional can then access that data, and in many cases does not require a password to see that data dump. This is something that can be remedied by the IT department of a clinic or hospital, but it’s important to remember that when it comes to authorization, relying on weak passwords is almost as bad as not having a password at all. Weak and poorly stored passwords have been the reason for IoMT breaches in the last year. A medical IT department should set up strong authentication protocols, such as multi-factor authentication (MFA) to avoid breaches.
2. The ability to access IoMT devices from an external device
Because medical devices are designed to be accessed by computers or other devices, like smartphones, breaching a computer or a phone offers an attacker access to the device itself. Once again, strong authentication processes can help with this, but so can strong security around the devices themselves. We tend to think of cyberattacks as something that happens only online, but it’s possible, for example, that an attacker might steal a laptop from an unsecured location in a hospital and get access to medical data that way. Make sure only authorized personnel can get to your computers and the other devices with IoMT access.
3. Buggy or unpatched software
We’ve said it before but it is worth saying again: cybercriminals rely on the delayed patching of software. Bad actors know the glitches in your software and they also know when security patches are being pushed out. Make sure patches are promptly installed so that criminals don’t exploit IoMT weaknesses they read about in the release notes of the latest update.
4. Unsecured network access
When your IoMT devices are on the same network as the rest of your infrastructure, you open yourself up to an attack on not just your IoMT devices, but the entire system. Prevent this by segmenting your network, and using one segment of the network only for the IoMT. That way, if an attack on your devices happens, it stays in one area of your network only.
5. Lost device
The problem with devices is that they can be lost. Think about it —how many times have you put your phone down, or taken off a smartwatch, and then not been able to find it? This is possible with some IoMT devices. Either they can be stolen from a medical facility, or a person with a medical device may take them off and lose them. It’s important to put processes in place to make devices difficult to lose, but also to have a plan for when devices do go missing. Strong authentication, tracking, and other similar methods are a way to make sure lost devices don’t become gateways into your health organization’s IT infrastructure.
How can SecurityScorecard help?
Having the ability to quickly and easily understand your organization’s security posture is vital when you’re evaluating your organization’s security risk.
Our security ratings are based on an A-F scoring scale that quickly shows you where vulnerabilities have been detected and which need to be prioritized first. Our ratings cover a variety of security factors, like endpoint security, network vulnerabilities, and patching cadence. By being able to identify your organization’s weaknesses at a glance, you can keep your networks and data safe and secure.
