The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).
Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.
There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.
1. Pick Your Battles
On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities every month. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.
Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an environment-specific exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.
Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.
2. Introduce Security at Adoption
Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.
In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device acquisition processes enable better ongoing security and risk remediation outcomes.
3. Form Collaborative Teams of Experts
Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.
While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.
Make IoMT Security an Organizational Priority
Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.