When you step back and consider the patient journey in today’s healthcare environments, vulnerable clinical use assets are everywhere. Starting in admissions, patients encounter everything from check-in kiosks and tablets to copiers and scanners to security cameras.
During treatment, the vulnerable connected assets can range from CT/MRI scanners and wireless patient monitors to the pneumatic tube systems used in lab specimen transport, and even building management systems regulating operating room environments.
During post treatment care, all kinds of smart devices, including virtual assistants and TVs, come into play. Advances in patient care innovation have also extended the asset ecosystem beyond facilities to include things like remote wellness and chronic disease monitoring devices.
A multilayered security challenge
It is indisputable that connected medical devices and IoMT, IoT, and other smart assets are essential to improving and innovating patient care, but they also pose security risks and management challenges on multiple levels.
- Lack of visibility and inventory capabilities – All security frameworks and programs begin with the foundational requirement of a complete asset inventory. The challenge with medical device security is that security teams are typically focused on the traditional enterprise assets they know. Traditional security controls, such as asset inventory agents or network discovery scans, either don’t work on unmanaged devices or may miss transient devices. And if you don’t know everything that is on your network, how can you secure it?
- Inherent security control limitations – Beyond asset visibility, each medical device also has its own inherent security challenges. Whether they’re running a proprietary OS and can’t take agents, or they are vendor certified and cannot install Windows patches, the options of securing clinical assets at the device level are often limited. So how can your organization secure these vulnerable devices against an ever growing threat landscape?
- Contextualized clinical and device risk – Add in the critical nature of these devices and you’ll find healthcare has specialized risk assessment requirements; namely factoring in the clinical context of devices into a traditional security assessment approach. Beyond technical CVEs, it’s important to know how the clinical context and behaviors of a device elevates its risk compared to other assets.
Reasons for prioritizing security
The problem is that inconsistent medical, IoMT, and IoT asset security makes healthcare delivery organizations ideal targets for attackers. Here’s why complete cyber asset visibility needs to be a top priority.
- At least 50 percent of devices in most healthcare delivery organizations are unmanaged or IoT assets that don’t support security agents.
- Upwards of 63 percent of organizations dealt with one or more security incidents related to unmanaged and IoT devices.
- Attackers covet medical records because they contain a wealth of information for identity theft. More than 40 million patient records were compromised in 2021 alone.
- Ransomware remains pervasive in healthcare, jeopardizing patient care while potentially costing hospitals millions in payouts and reputational damage.
- Cyber physical attacks on things like smart uninterruptible power supplies (UPS) and building management system devices pose risks to patients and facilities.
And without the ability to fully visualize the asset landscape and identify and respond to emerging risks and threats in real time, the patient journey is full of critical vulnerabilities.
(The author is the Field Chief Technology Officer, Healthcare, Armis, based out of the United States and the views expressed here as his own)