The Rise of IoT and IoMT in Healthcare
The healthcare industry has embraced the operational and efficiency benefits of digital transformation, with the increased adoption of connected devices revolutionizing patient care. The average hospital now boasts 10 to 15 connected medical devices per bed, not including communication systems, security, HVAC, and personal devices. This proliferation of Internet of Things (IoT) and Internet of Medical Things (IoMT) technologies has unlocked new possibilities in patient monitoring, remote care, and streamlined processes. However, this connectivity also introduces significant cybersecurity risks that healthcare organizations must navigate.
As the attack surface expands with each new connected device, cybercriminals are seizing the opportunity to target vulnerable systems and exploit sensitive patient data. Recent studies have found that 385 million patient records were exposed between 2010 and 2022, with the incident rate continuing to rise. Unauthorized access to connected medical devices can have severe consequences, compromising patient safety, disrupting critical operations, and violating data privacy regulations.
To safeguard their systems and protect patient well-being, healthcare organizations must adopt a proactive, multilayered approach to IoT and IoMT cybersecurity. This article will explore the key challenges, effective solutions, and areas for improvement in navigating the complexities of cybersecurity in the healthcare industry.
Navigating the Cybersecurity Challenges of Connected Healthcare
Securing the Remote Work Environment
The COVID-19 pandemic has amplified the healthcare sector’s reliance on remote work and telehealth technologies, exponentially expanding the attack surface. Healthcare staff, often with limited prior experience in remote work, have had to adapt quickly to using enterprise remote desktop protocols, virtual private networks (VPNs), and various IoT devices to access internal networks. This shift has introduced new vulnerabilities that cybercriminals are eager to exploit, such as remote desktop protocol security issues and VPN client-side vulnerabilities.
“As remote working is now an integral element of healthcare service delivery, health staff are relying on enterprise remote desktop protocols and virtual private networks (VPN) to access internal networks. However, these come with certain risks that adversaries are looking to exploit,” explains Cunjin Luo, a cybersecurity expert.
Managing the Risks of Endpoint Devices
The increased use of endpoint devices, such as patient monitoring equipment, wireless sensors, and personal devices, has further compounded the cybersecurity challenges faced by healthcare organizations. Many of these devices are unpatched, outdated, or lack robust built-in security measures, making them prime targets for malicious actors. The rapid procurement of IoT devices during the pandemic, often without thorough security assessments, has exacerbated this risk.
“A number of endpoint devices, which comprises various patient-monitoring equipment that either connects to the internet or legacy-dispersed networks, are often unpatched,” Luo adds. “This risk further increased during the pandemic as a result of organizations competing to procure IoT devices, which resulted in more employees than before using personal devices to perform work from home.”
Addressing the Human Element of Cybersecurity
One of the most significant challenges in healthcare cybersecurity is the human factor. Studies have shown that the majority of information security incidents are related to human error, with healthcare staff making mistakes due to stress, distractions, and limited cybersecurity awareness, particularly in the context of the pandemic.
“There is a tendency for human error when staff are busy focusing on saving lives and adjusting to new work environments and technologies. With sudden changes in working practices, being under stress for an extended period of time makes employees vulnerable to falling into malicious trickery and making mistakes,” Luo explains.
Phishing campaigns and ransomware attacks have exploited the healthcare sector’s vulnerabilities, with attackers leveraging staff’s anxieties and lack of cybersecurity training during the COVID-19 crisis.
Ensuring Robust Business Continuity and Incident Response
The healthcare industry’s dependence on connected medical devices and real-time data access has made it a prime target for disruptive cyberattacks, such as distributed denial-of-service (DDoS) attacks and ransomware. These attacks can cripple critical systems, compromising patient care and jeopardizing the continuity of essential services.
Luo emphasizes the importance of comprehensive incident response and recovery plans, stating, “Current health care cyber defense response is often reactive and undertaken after malicious attacks, lacking a coordinated incident response capacity to counteract constantly emerging and evolving malware threats.”
Furthermore, the complexity of healthcare supply chains and the reliance on third-party vendors introduce additional vulnerabilities that can be exploited by cybercriminals, underscoring the need for a holistic approach to cybersecurity.
Implementing Effective IoT and IoMT Cybersecurity Solutions
To address the multifaceted cybersecurity challenges faced by the healthcare industry, a comprehensive and proactive approach is required. Healthcare organizations are leveraging a range of solutions to enhance their cybersecurity posture and protect connected devices and patient data.
Securing Remote Work Environments
Recognizing the risks associated with remote work, healthcare organizations are implementing various security measures to safeguard their networks and devices. These include the use of multifactor authentication, continuous monitoring of remote access infrastructure, and the deployment of attack surface reduction rules to limit the attack vectors.
“Existing solutions include the use of multifactor authentication and the monitoring of the log activity of user accounts and revoking account access if no longer needed,” Luo explains. “Health organizations such as those in the United Kingdom have also started using services to monitor their remote access infrastructure constantly and to investigate anomalies.”
Strengthening Endpoint Security
To address the vulnerabilities of connected medical devices and IoT endpoints, healthcare organizations are leveraging security solutions that provide real-time visibility, risk assessment, and threat detection capabilities. These solutions help identify, classify, and prioritize the remediation of vulnerabilities across the entire device ecosystem.
“The National Institute of Standards and Technology (NIST) has recently released a draft security guide and recommendations for managing the security IoT devices, but it is unclear whether it will be enforced across the health sector,” Luo notes. “Existing solutions include the use of multifactor authentication and the monitoring of the log activity of user accounts and revoking account access if no longer needed.”
Fostering a Culture of Cybersecurity Awareness
Recognizing the critical role of the human element in cybersecurity, healthcare organizations are investing in comprehensive training and awareness programs for their staff. These initiatives aim to educate employees on the latest threats, instill a security-conscious mindset, and empower them to identify and report suspicious activities.
“Health care organizations already have cybersecurity programs in place to increase levels of security awareness,” Luo states. “Existing solutions include the use of cybersecurity training programs and cybersecurity awareness campaigns, where the IT department sends out fake phishing emails to their staff and provides further training to those who fail to identify these emails.”
Strengthening Business Continuity and Incident Response
To ensure the resilience of their operations and patient care, healthcare organizations are implementing robust business continuity plans and streamlining their incident response capabilities. This includes measures such as regular data backups, the deployment of intrusion detection and prevention systems, and the adoption of security risk assessment frameworks.
“The health sector already has business continuity solutions in place such as data backups and intrusion detection and prevention systems,” Luo explains. “NHS trusts have been asked to follow and meet the Cyber Essentials and government standards. NHS Digital has launched a Data Security and Protection Toolkit, a self-assessment tool for organizations that need to access NHS patient information and systems.”
Addressing the Gaps: Towards Comprehensive IoT and IoMT Cybersecurity
While healthcare organizations have made significant strides in enhancing their cybersecurity posture, there are still areas that require further improvement to fully address the complexities of IoT and IoMT security.
Strengthening Coordinated Incident Response and Threat Intelligence Sharing
One key area for improvement is the development of a more coordinated and proactive incident response framework. Currently, the healthcare sector’s cyber defense response is often reactive, with a lack of capacity to rapidly detect, respond, and recover from emerging and evolving threats.
“Existing research shows that the key security risks challenging business continuity are vendor dependence, inappropriate encryption configurations, and the inability to handle health information sharing and exchange with third-party and cross-border partners,” Luo notes. “Risks will continue to grow if cybersecurity is not integrated into the project life cycle from the beginning.”
To address this, healthcare organizations could benefit from establishing international partnerships and workforce collaborations to facilitate threat reporting and the exchange of cyber threat intelligence. This would enable a more coordinated and informed approach to combating pandemic-themed cyber threats.
Adopting a Holistic Approach to Cybersecurity Risk Management
Another area for improvement is the need for a more comprehensive and strategic approach to cybersecurity risk management within the healthcare sector. Many organizations still struggle to translate the potential impact of cyber threats into actionable risk assessments and resource allocation decisions.
“There is a lack of understanding of security risks and its impact on organization-wide risk management, such as impacts on patient care and clinical outcomes,” Luo explains. “The health sector lacks a matrix that can translate the strategic improvement needs of a health care system into prioritized information/cyber improvement needs.”
By fostering a better understanding of the business impact of cyber threats among executive leadership, healthcare organizations can make more informed decisions about cybersecurity investments and resource allocation, ultimately enhancing their overall resilience.
Addressing the Human Factor through Proactive Approaches
As the human element continues to be a significant vulnerability in healthcare cybersecurity, a more proactive and comprehensive approach to addressing this challenge is crucial. While training and awareness campaigns are essential, healthcare organizations should also explore root cause analysis techniques and human error-focused analytical frameworks to better understand and mitigate the sources of unintentional security incidents.
“There is a tendency for human error when staff are busy focusing on saving lives and adjusting to new work environments and technologies. With sudden changes in working practices, being under stress for an extended period of time makes employees vulnerable to falling into malicious trickery and making mistakes,” Luo emphasizes.
By adopting a non-blaming, proactive culture and leveraging human factors analysis tools, healthcare organizations can better identify and address the underlying causes of human-related security incidents, ultimately strengthening their overall cybersecurity posture.
Conclusion: Navigating the Complexities, Ensuring Patient Safety
The rapid adoption of IoT and IoMT technologies in healthcare has unlocked significant benefits, but it has also introduced complex cybersecurity challenges that must be navigated with vigilance. From securing remote work environments and managing endpoint device risks to addressing the human element and strengthening business continuity, healthcare organizations face a multifaceted battle to protect connected medical devices and safeguard patient data.
By implementing a comprehensive, multilayered cybersecurity strategy, healthcare providers can mitigate the risks associated with this digital transformation, ensuring the continued delivery of high-quality, reliable, and secure patient care. As the threat landscape continues to evolve, a proactive, collaborative, and holistic approach to IoT and IoMT cybersecurity will be the key to safeguarding the healthcare industry’s vital role in promoting the well-being of individuals and communities.
Visit the IT Fix website to explore more insights and practical tips from experienced IT professionals on navigating the complexities of technology in the modern landscape.
