The healthcare industry is one of the largest adopters of “Internet of Things” (IoT) technology, using internet-enabled devices to monitor patient health, dispense lifesaving medication, perform medical procedures, and more. Some examples of IoT devices used in healthcare include insulin pumps, pacemakers, heart rate monitors, and intracardiac defibrillators. These devices allow healthcare teams to provide advanced care in bustling urban centers as well as remote or rural areas where frequent in-person visits are impossible.
However, these devices often run outdated software due to the difficulty of patch management and the time-intensive nature of updates, which end up getting bumped from the schedules of busy metropolitan teams. In addition, healthcare organizations and patients alike often sacrifice security hygiene for convenience, increasing the likelihood of stolen credentials and compromised devices. Plus, since these devices often operate in patient homes and other locations outside the organization’s network, security teams may not even know if an IoT device is stolen or compromised until it’s too late.
Many cybercriminals target IoT medical devices to harvest sensitive health data, but in the process could cause a pacemaker to crash and severely injure the patient. To address the growing threat of ransomware and other cyberattacks on patient health devices, the FDA recently issued a set of guidelines for securing medical devices. In this post, we’ll discuss the factors that make medical devices a cybersecurity risk before providing mitigation strategies to help healthcare organizations meet FDA requirements.
| Table of Contents: |
What makes medical devices a cybersecurity risk?
Every internet-enabled device expands an organization’s attack surface, giving cybercriminals something new to compromise and gain access to data and other resources. Medical devices are particularly risky for three reasons.
- Outdated software – It’s difficult to update software on remote, wearable, or implanted medical devices without causing a (potentially dangerous) disruption to the patient. A recent FBI report showed that 53% of IoT medical devices had known, unpatched vulnerabilities in their software, making them more susceptible to cyberattacks.
- Poor security hygiene – Teams often deploy medical devices with easy, insecure passwords for ease of use. While this may make operating and troubleshooting these devices easier for busy healthcare practitioners, it also significantly increases the cybersecurity risk.
- Inadequate monitoring – Once medical devices leave the central network, it can be difficult for admins to monitor software versioning, account activity, device location, and other critical security metrics. That means they may not be aware of breaches or failures that put patient health at risk.
Medical device cybersecurity risk mitigation strategies
Due to the increased frequency of attacks and the potential to cause patient harm, the FDA released guidance earlier this year to address medical device cybersecurity risks. For the FDA to consider a medical device “secure,” there must be plans and processes in place to monitor, identify, and patch vulnerabilities, both on a routine schedule and as soon as possible in response to specific threats. There are also additional requirements to demonstrate that reasonable security measures are in place, including strong authentication.
This guidance is intentionally broad, giving general rules without detailing exactly how to achieve compliance. Let’s discuss three specific risk mitigation strategies that address the above mentioned risk factors and meet FDA guidelines.
Automated patch management
Medical device manufacturers and service providers must continuously monitor for vulnerabilities and release software patches on a regular schedule to comply with the FDA’s ruling. Automated monitoring, configuration management, and software delivery tools can all help teams stay on top of demanding patch schedules. On the consumer side, healthcare teams can use automated patch management solutions to ensure updates are installed as soon as they’re available, reducing manual workloads and improving device security.
- Find more guidance on how to build an automated infrastructure patching defense.
Zero trust security
Zero trust security is a methodology that involves applying highly specific security policies and building checkpoints of security controls around individual network resources. Zero trust requires strong passwords and uses technology like multi-factor authentication (MFA) to prevent compromised accounts from accessing devices or data. Zero trust is difficult to achieve, and it can be challenging to get overworked healthcare providers or elderly patients to follow stricter password guidelines, but it’s quickly becoming standard practice for new medical devices and cloud services. Teams can help smooth the transition by providing additional training and support when deploying new healthcare technology.
- Learn more about removing IoT from your attack surface.
Vendor-neutral monitoring
Administrators need to track device metrics to ensure the equipment functions correctly and identify any signs of compromise. Often, devices come with software monitoring solutions that are specific to a particular vendor, but most healthcare teams deploy a wide variety of equipment from multiple vendors. As a result, admins must log in to several different dashboards, all of which provide varying degrees of coverage and granularity. A vendor-neutral monitoring platform can unify all these disparate systems, making it easier to track device health and spot potential problems.
- Learn more about automating patches and other tasks with an IoT device management system.
Medical device security, recovery, and resilience
Medical devices pose a significant cybersecurity risk, and the consequences of successful breaches could be deadly. The FDA urges medical device providers to follow guidelines for vulnerability monitoring, patch management, and overall cybersecurity. In addition, healthcare organizations can use automated patch management, zero trust security, and vendor-neutral monitoring platforms to improve their security posture.
It’s also vital that organizations have a plan for how to recover remote medical devices that are compromised by ransomware or other cyberattacks. The faster teams can restore, rebuild, or replace the device, the better the patient’s health outcomes. This combination of security and recovery planning makes healthcare networks more resilient to cyberattacks and failures.
For example, the Nodegrid platform from ZPE Systems allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system. Nodegrid’s out-of-band management solutions can also be used to build an isolated recovery environment where teams can rebuild and restore compromised systems with the risk of reinfection.
To learn more about recovering from ransomware and other medical device cybersecurity risks, download our whitepaper, 3 Steps to Ransomware Recovery.
Learn more about recovering from ransomware and other medical device cybersecurity risks!
Nodegrid allows healthcare teams to deploy automation, zero trust security, monitoring, recovery tools, and more from one unified system.