Article by: Oscar Miranda, Field Chief Technology Officer, Healthcare, Armis
When you step back and consider the patient journey in today’s healthcare environments, vulnerable clinical use assets are everywhere. Starting in admissions, patients encounter everything from check-in kiosks and tablets to copiers and scanners to security cameras. During treatment, the vulnerable connected assets can range from CT/MRI scanners and wireless patient monitors to the pneumatic tube systems used in lab specimen transport, and even building management systems regulating operating room environments. During post treatment care, all kinds of smart devices, including virtual assistants and TVs, come into play. Advances in patient care innovation have also extended the asset ecosystem beyond facilities to include things like remote wellness and chronic disease monitoring devices.
A multilayered security challenge
It’s indisputable that connected medical devices and IoMT, IoT, and other smart assets are essential to improving and innovating patient care, but they also pose security risks and management challenges on multiple levels.
Lack of visibility and inventory capabilities – All security frameworks and programs begin with the foundational requirement of a complete asset inventory. The challenge with medical device security is that security teams are typically focused on the traditional enterprise assets they know. Traditional security controls, such as asset inventory agents or network discovery scans, either don’t work on unmanaged devices or may miss transient devices. And if you don’t know everything that is on your network, how can you secure it?
Inherent security control limitations – Beyond asset visibility, each medical device also has its own inherent security challenges. Whether they’re running a proprietary OS and can’t take agents, or they are vendor certified and cannot install Windows patches, the options of securing clinical assets at the device level are often limited. So how can your organisation secure these vulnerable devices against an ever growing threat landscape?
Contextualised clinical and device risk – Add in the critical nature of these devices and you’ll find healthcare has specialised risk assessment requirements; namely factoring in the clinical context of devices into a traditional security assessment approach. Beyond technical CVEs, it’s important to know how the clinical context and behaviors of a device elevates its risk compared to other assets.5 reasons for prioritising IoMT and cyber asset visibility and security
The problem is that inconsistent medical, IoMT, and IoT asset security makes healthcare delivery organisations ideal targets for attackers. And without the ability to fully visualise the asset landscape and identify and respond to emerging risks and threats in real time, the patient journey is full of critical vulnerabilities. Here’s why complete cyber asset visibility needs to be a top priority.
At least 50 percent of devices in most healthcare delivery organisations are unmanaged or IoT assets that don’t support security agents.
Upwards of 63 percent of organisations dealt with one or more security incidents related to unmanaged and IoT devices.
Attackers covet medical records because they contain a wealth of information for identify theft. More than 40 million patient records were compromised in 2021 alone.
Ransomware remains pervasive in healthcare, jeopardising patient care while potentially costing hospitals millions in payouts and reputational damage.
Cyber physical attacks on things like smart uninterruptible power supplies (UPS) and building management system devices pose risks to patients and facilities.