Back to Hub

Healthcare’s Internet of Medical Things (IoMT) Has Security Challenges, Forum Warns

10/17/2018 By

“Healthcare” and “cybersecurity” don’t seem like they go together, but a security forum this week highlighted how the move to electronic health records and the growing use of connected medical devices — the Internet of Medical Things (IoMT) — makes hospitals and patients vulnerable.

Discussions at the Healthcare Information and Management Systems Society (HIMSS) forum in Boston showed that while it’s clear that hospitals know they’re targets, they may not understand the scope of the danger or the potential cost of even minor disruptions.

The event attracted a diverse audience — with IT, finance and supply chain executives mingling with network security professionals. So hospitals are viewing security in a cross-functional way, and that’s a positive development.

With that in mind, here’s a summary of the discussions and important themes from this year’s event:

  • While the Cisco’s of the world (Juniper, Alcatel-Lucent, Aruba, etc.) continue to improve their core and perimeter network analysis and reporting capabilities, security remains a relative afterthought. In other words, not only are their solutions “light,” relative to the current state of the art, but they do not address the nuances of healthcare.
  • The event’s speakers were emphatic about one theme: Providers are not ready for what’s coming. For example, known ransomware attacks such as WannaCry and Petya were crude but managed to wreak havoc.
  • While providers now understand the legal and financial implications of stolen patient healthcare information (PHI), many still don’t appreciate the associated danger to patients. When experts pointed out that “if they can steal PHI, then they can also modify it,” the groans from the audience were audible.
  • The lack of connected medical device security may well be the industry’s most talked about vulnerability. In light of the increasingly fragmented nature of care networks, wired and wireless medical device security is becoming a hot, if not emotional, topic. The idea that a bad actor might take control of a device connected to a patient is nothing short of frightening.

Stories about security challenges and IoMT dominated numerous discussions. Three examples:

  • The first incident involved newly delivered patient monitors. Immediately after their installation on a hospital’s network, they began spreading malware. It was determined that the monitors arrived “infected” from the factory. The problem was detected during a proof-of-concept exploring a connected medical device security solution from an Israeli-based security company called Medigate.
  • In a second example, Medigate sales executive Paul Goldweitz described how its solution revealed rogue traffic between devices that shouldn’t have been talking to each other. “CT scanners were discovered to be communicating with incubators,” Goldweitz said. “When we see this kind of traffic during a proof-of-concept, we know we’re witnessing a live attack.”
  • A security consultant described yet a third incident that ultimately cost a hospital well over $2 million. This was a case of malware that found its way from a staff member’s laptop onto a device that, in turn, was transmitting data to the hospital’s electronic health records (EHR) system. When the hospital’s network administrator saw something was wrong, he shut down the network. Unfortunately, it took two weeks to determine the culprit. During that period, the hospital was forced to revert to paper record-keeping and the use of portable flash drives (eventually running out of both). In addition to the loss of its cash flow because it couldn’t send invoices for the better part of a month, numerous IT projects came to a halt. A costly patient medical record audit was ordered.

In addition to the more specialized security companies like Medigate (e.g., Esentire, Gigamon and Maize also come to mind), IBM seems to be making an aggressive play. While noting that criminal attacks on healthcare organizations have more than doubled since 2010, IBM talked about the “bring your own device” (BYOD) phenomenon, as well as, public cloud adoption. Obviously, the pervasiveness of network connectivity and the increasing amount of sensitive information that is now held on networked and distributed systems was cited as “widening the array of entry points” for hackers.

IBM’s strategy is to coordinate best-in-class, specialized solution providers. In a direct nod to Medigate, IBM talked about how unauthenticated and unencrypted communication among medical devices is creating vulnerabilities, ultimately posing unimaginable threats to patients.

Overall, the messages from speakers at the forum and attendees indicate that hospitals would be well-served to update their approach to network/data security. Hospitals don’t have their heads in the sand, but their competing initiatives need to be streamlined and their budgets could reflect the sense of urgency that’s required. The speakers were unified in their belief that providers are not ready for what’s coming.

Potential new system integrations — like asset tracking, peripheral security and core management platforms — are aggressively being explored. A growing awareness to the vulnerabilities posed by connected medical devices and the total cost of disruptions were clearly hot topics of interest. Several attendees indicated that the device manufacturers have a role to play in increasing security, but the attendees weren’t waiting around for the makers to offer a comprehensive solution.