- A recent Deloitte poll identified that legacy and fielded medical Internet of Things (IoT) devices challenge provider connected device ecosystems, indicating that medical IoT security continues to test healthcare organizations.
Thirty-six percent health IT infrastructure professionals polled stated that their organization had experienced a cybersecurity incident in the past year. Respondents reported that identifying and mitigating the risks associated with fielded and legacy connected devices presents a significant cybersecurity challenge.
"It's not surprising that managing cyber risks of existing IoT medical devices is the top concern facing manufacturers, providers, and regulators," Deloitte Risk and Financial Advisory partner Russell Jones said in a statement.
"Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls,” Jones continued. “Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution."
Medical IoT devices need to be secured on both the device and network level. Securing IoT devices can challenge organizations because the devices do not all operate the same and have different security requirements. Many security requirements need to be incorporated in the design phase.
Organizations struggle with embedding vulnerability management into the medical IoT device design phase because it involves entities investing more time in the device, which may stretch IT departments thin.
"Collaboration between providers, manufacturers, and suppliers is key when it comes to bridging the gaps in medical device cybersecurity,” said Jones. “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely."
Survey respondents are also challenged by monitoring and responding to cybersecurity incidents, and often find a lack of collaboration on cyber threat management throughout the connected medical device supply chain.
Healthcare has specific issues with IoT security because of the alternative authentication that is required by the connected devices. The FDA also recently issued the Postmarket Management of Cypersecurity in Medical Devices, where the agency outlines the security risks of connected medical devices malfunctioning.
Any IoT device can have a security vulnerability that could potentially affect the entire network. Something as simple as a connected copy machine or a smart refrigerator could expose a network via an unprotected gateway.
Security vulnerabilities have been discovered in pacemakers, defibrillators, and diabetes insulin pumps. These devices are meant to be communicating with the management server only, but have been found to broadcast signals out into the internet, breaching security protocols.
IoT devices do not have the same computing power as smartphones and laptops, making it difficult to deploy a strong encryption option. It can also be more difficult to securely generate and store the keys needed for strong device security.
Organizations also have to consider the number of IoT devices that are connecting with the network. The number of medical IoT devices is constantly growing, meaning that manual security management isn’t an option.
Providers need to involve themselves in the manufacturing of connected medical devices and must also implement an IoT management and security solution that gives them visibility and control over IoT devices.
Deloitte recommended a layered approach when it comes to medical IoT device security, suggesting that organizations:
- Implement a document hierarchy. Formalize, organize, and structure medical device cybersecurity activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Beyond the typical education and training standards and operating procedures, these hierarchies should also include work instructions and templates for each unique device that maps to each component of the product security program. Documentation of quality management system (QMS) protocols and procedures should also be centralized and regularly updated.
- Conduct annual—at minimum—product security risk assessments. Treat cybersecurity risk assessment procedures as ongoing, iterative processes that are repeated at least annually and when business changes occur, such as supplier changes, acquisitions, or divestitures. They're utilized throughout the entire lifecycle of connected medical devices—including their related apps—to identify cybersecurity threats that often fall outside of what minimum medical device security requirements address.
- Take a forensic approach to incident response. Establish the incident timeline, detect anomalous behavior, and figure out what data was accessed and exposed. Forensic analysis can help your organization uncover facts as well as assist in determining what future actions you need to take in your response and remediation.
Organizations that have complete control over their IoT devices from the development phase through controlling them via a management solution will have a more secure network and be able to detect vulnerabilities before they become issues.