The healthcare industry has gone through a dramatic technological transformation during the past two years. Internet-connected devices, collectively known as the Internet of Medical Things, or IoMT, have become ubiquitous in the healthcare industry and play a significant role in patient care.
However, despite the advantages IoMT has created for the industry, it has also introduced significant risk, threatening healthcare companies and even their patients. Identifying and protecting these connected devices through robust machine identity management is an essential part of a strong healthcare cybersecurity strategy.
The healthcare industry has been leveraging IoT devices for years, steadily increasing its use in facilities and patient care. The use of IoT devices and digitalization has been further accelerated by the pandemic, where the need for telemedicine and remote care became a necessity. By 2027, the IoT in Healthcare market is expected to reach $290 billion, up from just $60 billion in 2019.
Applications like personal healthcare, biosensors, smart beds, smart pills, the health insurance industry, robotics, and other specializations are only expanding the scope of IoMT. The key advantages of having IoT in healthcare include:
Besides all the benefits IoMT devices provide, they have also introduced new risks to healthcare organizations that haven’t previously been a security priority. These new risks have created a dangerous security gap—new technology is introducing new risks and a larger attack surface.
Healthcare IoT adds a specific risk because it’s connected to your network, meaning it’s susceptible to MitM attacks, or other intercepting attacks. Due to the nature of these devices, the lack of security is often the result of weak design by the device manufacturer. These devices, if left unsecured, can expose an organization to several different risks and potential compromises.
In November 2021, the Cybersecurity and Infrastructure Agency (CISA) and Philips issued advisories pertaining to several security vulnerabilities identified in certain patient monitoring and medical device interface products from the manufacturer. CISA noted that the vulnerabilities are exploitable from an adjacent network with low attack complexity. Exploitation could allow attackers to access patient data, launch denial of service attacks and more.
Many legacy IoT devices have poor security settings, and some healthcare departments let these vulnerabilities slip by not segmenting network access or not changing default passwords, which are common among many IoT devices, and are very easy to find. This can lead to cyberattacks in hospitals or other targeted healthcare attacks.
For example, in October 2020, CISA, FBI, and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory which described the tactics used by cybercriminals against targets in the healthcare sector to infect systems with ransomware for financial gain. Another alert by CISA has warned about critical vulnerabilities in Siemens software that could potentially impact millions of medical devices from multiple manufacturers. Anesthesia machines, ventilators and patient monitors were among the medical devices possibly impacted.
The use of internet connected medical devices can be incredibly scary if the right security isn’t put in place. An article by the Indianapolis Business Journal highlighted the various recalls and alerts that were published by the FDA due to concerns over hackable pacemakers. IoT Business News has also published a list of four types of medical devices that are susceptible to hacking which include: wireless infusion pumps, implanted devices, smartpens, and vital sign monitors.
Beyond the risk posed to individuals, these devices can also be used to infiltrate an organization’s network which can lead to worse compromises and breach incidents. Attackers can access sensitive files, patient records, health records, or disrupt critical facilities ability to function via ransomware attacks. Compromised devices can be leveraged as part of a botnet or can contribute to a DDoS attack which can further hinder an organization.
Securing and protecting your healthcare organization against the risks of IoT devices requires a mix of fundamental cybersecurity practices and targeted efforts. These include:
Machine identities are the foundation of a comprehensive IoMT security program. They serve to identify and authenticate the various connected devices to the organization’s network. Using unique machine identities for every connected device, healthcare entities can validate the authenticity of the device and ensure the integrity of its communications with other medical devices.
To reap the benefits of machine identities, the respective private keys must be protected. Using a Hardware Security Module (HSM) is the best way to provide hardware-based security of the secret private keys. If the private key is compromised, they whole machine identities’ structure falls apart like a castle in the sand.
In addition to having secure and robust machine identities, healthcare organizations need to validate the authenticity and integrity of the software running in the IoMT connected devices. Code signing processes verify a software component is valid and authenticates the identity of the developer. Code signing also demonstrates that the code has not changed or has been tampered with since it was released.
Secure IoT firmware and authenticated devices offer benefits that extend to the entire healthcare ecosystem. Hospitals, doctors, caregivers, and patients can communicate securely with the protected device and with each other.
However, to take advantage of these benefits, healthcare organizations need to invest in a centralized and automated identity management solution for all their keys and certificates. As the lifecycle of IoT devices extends beyond the lifecycle of certificates and cryptographic algorithms, it is important to establish policies and automated procedures to renew, replace and revoke credentials.
Venafi Trust Protection Platform is the solution that will allow healthcare organizations to reap the benefits of IoT devices while protecting TLS keys and certificates, SSH keys, and code signing keys across the enterprise. The Trust Protection Platform powers enterprise solutions that give you the visibility, intelligence, and automation to protect machine identities throughout your organization. To learn more, contact one of our experts.