What Is IoMT security? | Palo Alto Networks

5 min. read

IoMT security is the combined cybersecurity defense mechanisms and strategy that protect against cyberattacks targeting connected medical devices. IoMT security can be understood as a cybersecurity strategy and protection mechanism that safeguards against the possibility of cyberattacks that target Internet of Medical Things (IoMT) devices which are connected to a healthcare network. IoMT security is also sometimes referred to as medical IoT Security.

Internet of Things

The Internet of Things (IoT) can have a variety of meanings in different industries. Any internet-connected device with the ability to collect, transfer, and analyze data over a network is a “thing” in the IoT ecosystem.

IoMT Devices

In the healthcare industry, any medical device that connects to a healthcare provider’s network is classified as “medical IoT device,” a “connected medical device,” a “connected clinical device,” or an IoMT device. With functions from monitoring heart rates to taking temperatures, there is a wide array of IoMT devices, including:

  • Medical imaging systems
  • Smart thermometers
  • Infusion pumps
  • Medical device gateways
  • Biosensors packaged into wearables (for use in apparel or implanted inside the human body)

IoMT Adoption Is Accelerating

  • The global internet of things in healthcare market was valued at $113.75 billion in 2019 and is expected to reach $332.67 billion by 2027, registering a CAGR of 13.20% 2020-20271.

IoMT adoption is accelerating as connected devices have become prevalent in healthcare. As IoMT technology evolves, it will continue extending beyond the walls of clinics and hospitals.

The healthcare industry’s digitalization journey is progressing, further accelerated by the COVID-19 pandemic. Healthcare providers, medical device manufacturers, and hospital systems alike are recognizing the crucial role of connected medical devices.

1Allied Market Research, Internet of Things in Healthcare Market, 2022.

IoMT Use Cases

 Graphic depicting examples of IoMT devices and applications

Figure 1. IoMT device and application examples

IoT is viewed as a business enabler in most industries, but medical IoT plays a different role in healthcare. IoMT use cases include:

  • Remote patient monitoring
  • Hospital asset tracking
  • Patient and staff tracking
  • Smart hospital solutions
  • Remote care delivery

 

IoMT Security Challenges

One of the main drawbacks of IoT in healthcare is weak security. Most IoMT devices were not designed with security in mind, which makes them especially vulnerable to compromise. IoMT demands better security because, unlike other industries, a security breach in a healthcare network can quite literally become a matter of losing lives.

Some of the key security challenges in healthcare related to connected medical devices include:

  • Vulnerabilities
  • Data privacy
  • Malware and ransomware attacks
  • Interoperability
  • Legacy systems

 

IoMT Security Risks

Unit 42® researchers at Palo Alto Networks analyzed crowdsourced data from security assessments of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for Healthcare from Palo Alto Networks. This topic is of critical concern for providers and patients because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.

The published findings show an alarming 75% of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of 40 known cybersecurity vulnerabilities. Alerts showed they had one or more of 70 additional types of known security shortcomings for IoT devices.

Clearly, healthcare is a prime target for attackers. This heightens the concern around connected medical devices, because any exploited vulnerability enables cybercriminals to take malicious actions. Attacks on connected medical devices can pose significant risks healthcare organizations and their patients, including:

  • Patient safety
  • Data breaches
  • Ransomware
  • Malware attacks
  • Device hijacking
  • Regulatory compliance problems

 

Medical IoT Security Vulnerabilities

There is already a vast array of information about known vulnerabilities and approaches for securing these devices. This is a result of the efforts of medical equipment makers, security researchers, cybersecurity vendors and regulators who have spent the past decade working to better understand cyber risks associated with use of infusion pumps and other connected medical devices. For example, the U.S. Food and Drug Administration (FDA) announced seven recalls for infusion pumps or their components in 2021, and nine other recalls in 2020.

There are also initiatives led by industry and government aimed at standardizing device information and establishing baseline security criteria for manufacturing these devices. Yet the average infusion pump has a life of eight to 10 years. The widespread use of equipment whose functional life is much longer than the life of its operating system has hampered efforts to improve security.

 

IoMT Security Best Practices

Security for connected clinical devices needs to be taken seriously, making it vitally important for all healthcare security leaders to implement connected medical device security strategies. A robust medical device security strategy can alleviate healthcare organizations’ worries about cyberattacks and allow them to focus on delivering positive patient care and outcomes.

IoMT security recommendations include:

  • Ensure visibility and risk assessment of all connected medical and operational devices using Device-ID policies
  • Apply contextual network segmentation and least-privileged access controls
  • Continuously monitor device behavior and prevent known and unknown threats
  • Simplify operations

Healthcare organizations with vulnerable clinical and nonclinical devices on their network might also consider the IoT or IoMT Security lifecycle approach (figure 2). These are steps that can be taken immediately to reduce exposure to medical device threats.

Diagram depicting the IoT security lifecycle

Figure 2. The IoT security lifecycle is an approach that organizations can use to reduce exposure to cybersecurity threats related to medical devices on their networks.

  1. Discover all IoT devices, managed and unmanaged, clinical, and nonclinical.
  2. Assess the risk of all devices with continuous monitoring.
  3. Define and enforce policies to only allow trusted behavior.
  4. Prevent any known IoT attacks.
  5. Detect and respond to unknown IoT threats.
  6. Implement steps 1-5 in coordination with holistic clinical device management.

Zero Trust: The Key to Effective Connected Medical Device Security

Healthcare organizations face an urgent need to tackle the security challenges related to connected medical devices. The most basic step in securing connected medical devices begins with a Zero Trust security approach (figure 3). By doing this, healthcare IT teams will be empowered to take a prevention-first instead of an alert-only approach to keeping connected medical devices safe.

Diagram depicting Zero Trust security architecture.

Figure 3. Zero Trust Network Security provides consistent access control and security regardless of where users, devices, or applications are located.

A Zero Trust security framework requires internal and external users to be continuously authenticated, authorized, and verified for security configuration and posture before being granted or retaining access to applications and data. Users are granted access on a need-to-have basis and keep it only so long as there is a valid need.

Key steps to establishing aZero Trust security posture include:

  • Gain complete, accurate visibility of all connected medical devices.
  • Understand the risk posture associated with all connected clinical devices.
  • Leverage machine learning to accurately profile and segment all connected medical devices and other IoT devices.
  • Apply fine-grained least privileged policies to devices based on classifications.

Zero Trust allows healthcare organizations to take advantage of the connected clinical devices’ many benefits without being susceptible to cyberthreats that can compromise patients’ safety and privacy. In addition, it protects them from other attacks such as ransomware.

IoMT Security FAQs

IoMT devices are IoT devices that connect wirelessly to a healthcare network and have the ability to transmit data.
Some examples of IoMT devices include medical imaging systems, smart thermometers, infusion pumps, medical device gateways, and biosensors packaged into wearables (for use in apparel or implanted inside the human body). IoMT use cases are expanding all the time.
IoMT security recommendations include:
  • Endpoint protection
  • Identity and access management
  • Asset Management
  • Vulnerability management
  • Network segmentation
  • Training to help mitigate risk associated with employees