The healthcare industry has gone through a dramatic technological transformation during the past two years. Internet-connected devices, collectively known as the Internet of Medical Things, or IoMT, have become ubiquitous in the healthcare industry and play a significant role in patient care and shine a spotlight on the need for identity management in healthcare.
However, despite the advantages IoMT has created for the industry, it has also introduced significant risk, threatening healthcare companies and even their patients. Identifying and protecting these connected devices through robust machine identity management is an essential part of a strong healthcare cybersecurity strategy.
IoT for healthcare: The rise of IoMT
The healthcare industry has witnessed significant advancements in Identity and Access Management (IAM) as it seeks to secure patient profile information, streamline user access rights, and enhance identity governance. IAM solutions play a crucial role in protecting sensitive healthcare data within the system and validating individuals' roles to ensure appropriate access. This is particularly important in an era where the industry is increasingly leveraging IoT devices, digitalization, and telemedicine. As the adoption of IoT in healthcare continues to grow, with the market expected to reach $290 billion by 2027, healthcare organizations must also address the new security risks associated with these technologies. The convergence of IoT and healthcare introduces a larger attack surface and necessitates a proactive approach to ensure data privacy and security.
Applications like personal healthcare, biosensors, smart beds, smart pills, the health insurance industry, robotics, and other specializations are only expanding the scope of IoMT. The key advantages of having IoT in healthcare include:
- Medical mobility: IoT helps in tracking and getting alerts when any critical change in a patient's parameter occurs, aiding in locating and providing direct assistance in real-time.
- Patient data processing: Coupled with ML, IoMT can excessively reduce the effort of processing vast amounts of medical information to a few minutes, additionally offering possible treatment options.
- Enhanced preventive medicine: A better understanding of conditions helps healthcare practitioners provide timely diagnosis without waiting for obvious symptoms.
- Medical apps for monitoring critical health issues: These apps aid healthcare professionals in finding out whether the patient has taken the prescribed medication. Therapists can also leverage the call functionality of the app and call the patient if necessary.
Besides all the benefits IoMT devices provide, they have also introduced new risks to healthcare organizations that haven’t previously been a security priority. These new risks have created a dangerous security gap—new technology is introducing new risks and a larger attack surface.
The risks of IoMT devices in healthcare organizations
Healthcare IoT adds a specific risk because it’s connected to your network, meaning it’s susceptible to MitM attacks, or other intercepting attacks. Due to the nature of these devices, the lack of security is often the result of weak design by the device manufacturer. These devices, if left unsecured, can expose an organization to several different risks and potential compromises.
In November 2021, the Cybersecurity and Infrastructure Agency (CISA) and Philips issued advisories pertaining to several security vulnerabilities identified in certain patient monitoring and medical device interface products from the manufacturer. CISA noted that the vulnerabilities are exploitable from an adjacent network with low attack complexity. Exploitation could allow attackers to access patient data, launch denial of service attacks and more.
Many legacy IoT devices have poor security settings, and some healthcare departments let these vulnerabilities slip by not segmenting network access or not changing default passwords, which are common among many IoT devices, and are very easy to find. This can lead to cyberattacks in hospitals or other targeted healthcare attacks.
For example, in October 2020, CISA, FBI, and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory which described the tactics used by cybercriminals against targets in the healthcare sector to infect systems with ransomware for financial gain. Another alert by CISA has warned about critical vulnerabilities in Siemens software that could potentially impact millions of medical devices from multiple manufacturers. Anesthesia machines, ventilators and patient monitors were among the medical devices possibly impacted.
The use of internet connected medical devices can be incredibly scary if the right security isn’t put in place. An article by the Indianapolis Business Journal highlighted the various recalls and alerts that were published by the FDA due to concerns over hackable pacemakers. IoT Business News has also published a list of four types of medical devices that are susceptible to hacking which include: wireless infusion pumps, implanted devices, smartpens, and vital sign monitors.
Beyond the risk posed to individuals, these devices can also be used to infiltrate an organization’s network which can lead to worse compromises and breach incidents. Attackers can access sensitive files, patient records, health records, or disrupt critical facilities ability to function via ransomware attacks. Compromised devices can be leveraged as part of a botnet or can contribute to a DDoS attack which can further hinder an organization.
How to secure IoMT devices for healthcare IoT
Securing and protecting your healthcare organization against the risks of IoT devices requires a mix of fundamental cybersecurity practices and targeted efforts. These include:
- Ensure you have clear asset visibility and inventory.
- Change all default passwords.
- Maintain a regular patch management process.
- Segment the organization’s network to limit the potential of an attacker.
- Use monitoring tools to detect unusual behavior
How an effective machine identity management in healthcare can help reduce IoMT risks
Machine identities are the foundation of a comprehensive IoMT security program. They serve to identify and authenticate the various connected devices to the organization’s network. Using unique machine identities for every connected device, healthcare entities can validate the authenticity of the device and ensure the integrity of its communications with other medical devices.
To reap the benefits of machine identities, the respective private keys must be protected. Using a Hardware Security Module (HSM) is the best way to provide hardware-based security of the secret private keys. If the private key is compromised, the whole machine identities’ structure falls apart like a castle in the sand.
In addition to having secure and robust machine identities, healthcare organizations need to validate the authenticity and integrity of the software running in the IoMT connected devices. Code signing processes verify a software component is valid and authenticates the identity of the developer. Code signing also demonstrates that the code has not changed or has been tampered with since it was released.
Secure IoT firmware and authenticated devices offer benefits that extend to the entire healthcare ecosystem. Hospitals, doctors, caregivers, and patients can communicate securely with the protected device and with each other.
However, to take advantage of these benefits, healthcare organizations need to invest in a centralized and automated identity management solution for all their keys and certificates. As the lifecycle of IoT devices extends beyond the lifecycle of certificates and cryptographic algorithms, it is important to establish policies and automated procedures to renew, replace and revoke credentials.
Venafi Trust Protection Platform is the solution that will allow healthcare organizations to reap the benefits of IoT devices while protecting TLS keys and certificates, SSH keys, and code signing keys across the enterprise. The Trust Protection Platform powers enterprise solutions that give you the visibility, intelligence, and automation to protect machine identities throughout your organization. To learn more, contact one of our experts.