Securing the 'M' in IoMT to ensure patient safety
The market for the internet of medical things, or IoMT, which includes medical devices, servers and applications that connect to computer networks, is experiencing explosive growth. Hundreds of thousands of connected medical devices, such as patient monitors, IV pumps, MRI machines, infusions pumps and ventilators, are linked to hospital networks to improve the quality and efficiency of delivering medical care. Expected to reach $136.8 billion worldwide by 2021, researchers have suggested that healthcare will become the biggest market for IoT by 2020, with 40% of all devices designed to be used for healthcare purposes.
Although all of these innovations can improve the quality of in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyberattacks. Hackers are increasingly targeting hospitals because of the high price they can command for sensitive patient data and the recent success of ransomware attacks.
The growing security risk
Medical devices need an extra level of protection because if an attack causes them to malfunction, patient lives are at risk.
For example, if a cyberattack tampers with smart infusion pumps that enable hospital staff to dispense and change medications automatically through the wireless network, dosages could be changed with disastrous results. Or an interruption in the transmission of readings from sensors embedded in patients’ beds, for instance, could prevent healthcare providers from being alerted if there is an urgent need for patient care.
A cybersecurity technology for IoMT needs to ensure in the event there is an attack that medical devices can continue to provide patient care. Such a technology must prevent malware and malicious activity from interfering with normal operations.
Special expertise required to secure IoMT
While generic IoT security systems secure all the endpoints the same way, securing medical devices requires knowing each device’s role in the various clinical workflows to accurately assess the impact of a cyberattack on patient safety. The “M” in IoMT makes all the difference.
Security professionals are used to protecting email servers, different databases, laptops and other mobile devices, but when it comes to securing medical devices they lack the visibility and understanding of how devices operate. It’s very important to understand where the medical devices are and what their role is in medical workflows and clinical processes. This understanding helps security professionals apply the right controls and the right security policies to properly protect the assets and their communications without interrupting hospital operations.
Each device needs to be analyzed based on the possibility that information can be leaked or can be a potential danger to a patient’s health. For instance, a PACS (picture archiving and communication system) would have a high privacy ranking, while an infusion pump would have a high patient safety ranking. Based on the ranking system, those devices that need immediate attention can be identified and managed accordingly.
There also needs to be special consideration regarding how critical the device is for patient care at every particular hospital. If a local hospital only has one MRI machine and is servicing the entire region, then it may need stricter controls than an ultrasound machine where there are several other machines that can be used if that machine is compromised.
In addition, the IoMT security system also needs to have a very good understanding of all of the device’s connections, including gateways, nurses’ stations, interface engine servers, terminal servers, printers and other middleware. If a server is attacked, it’s important to know how many other entities will be affected and to remediate appropriately to ensure patient safety.
As IoMT technology improves the efficiency of patient care, smart medical devices that communicate over a hospital’s internal network will become more prevalent. Securing all of the medical devices using traditional IT or even generic IoT cybersecurity approaches isn’t good enough. Security professionals need to take into account the medical context of the device communications, including the role of the devices in the medical workflows, to apply the necessary controls to ensure patient safety and protect sensitive data.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.