Antoinette Hodes is a Global Solutions Architect, specializing in IoT, and serves as an Evangelist with the Check Point Office of the CTO. She has worked as an engineer in IT for over 25 years and is an experienced security solutions architect in the cyber security industry.
The Internet of Medical Things, IoMT has revolutionized the healthcare industry. By connecting medical devices, sensors, and other equipment to the internet, hospitals can improve patient care, reduce costs, and improve efficiency. Now in the past COVID era hospitals were understaffed, and if present required social distancing, IoT solution were the answer to this challenge. Think of robot-assisted services, such as blood sample collection, disinfection of hospital rooms and delivery of medication. The options of IoMT are really endless. We see that hospital beds are getting “connected”, think of systems that monitor the medication dispensers, heart and medical alerts. Just to name a few. There are even now so called smart beds that monitor patient weight, body temperature and heartbeat. Even things like blood, oxygen saturation can be monitored. Helping doctors to reduce and prevent bedsores. All aiming for a quick patient recovery or keeping the patient comfortable.
IoMT, Internet of Medical Things pain points
In the realm of IoMT, we learned that bed count serves as a crucial metric. Each bed typically encompasses at least 20 or more IoT assets. While segmentation is often in place, compliance and certification pose significant challenges in this environment. The paramount concerns in this environment revolve around patient monitoring and confidentiality. Essential elements in hospitals include patient safety, patient satisfaction, treatment cost and average hospital stay.
Despite the increasingly complex nature of IoT environments, IT security solutions have lagged behind, offering limited visibility and control over IoT devices and the associated risks they present. Securing these devices poses a challenge due to the vast range of communication protocols they employ and their inherent vulnerabilities stemming from legacy operating systems, hardcoded or weak passwords, patching difficulties, physical accessibility, operating system misconfigurations, lack of built-in security measures, and unsecured communication protocols.
For instance, a significant number of IoMT assets continue to operate on the highly vulnerable Windows 7 platform and even worse embedded XP. Microsoft stopped supporting these operating systems a long time ago. Simply upgrading OEM devices running Windows 7 is undoable due to high costs (thousands of dollars per device). Same goes for Embedded XP. Examples of such devices are imaging systems, magnetic resonance imaging (MRI) and computed tomography (CT), blood pressure monitoring devices and defibrillators. Rough estimations are that 70% of all medical devices are unsupported.
A link demonstrating this fact is provided below. Attackers exploit these vulnerabilities to target these vulnerable assets. A comprehensive list of Common Vulnerabilities and Exposures (CVEs), including those with a severity score of 9*, is available here. *Critical vulnerabilities are vulnerabilities with a CVSS scores ranging between greater than 9 and less than 10, denoting the highest level of severity and immense potential harm.
Rise above the certification challenge
Certification is essential to ensure that medical IoT devices meet the necessary regulatory standards and comply with healthcare industry requirements. It helps guarantee that these devices are accurately designed, built with appropriate quality controls and have reliable performance. The certification process typically involves a series of tests, assessments and audits conducted by specialized certification bodies or regulatory authorities. Medical IoT device certification includes topics as:
- Safety | Devices should be evaluated for their electrical safety, software safety and mechanical safety, ensuring they do not pose any harm to patients or operators
- Performance | Devices need to demonstrate accuracy, precision and reliability in their measurements or monitoring capabilities
- Data security and privacy | Protection of patient data is crucial. Devices must undergo assessment to ensure they have appropriate measures in place to safeguard data privacy, prevent unauthorized access, and maintain data integrity
- Regulatory compliance | Medical IoT devices must comply with applicable regulations and standards, such as ISO 13485 (Quality Management System for Medical Devices) and IEC 60601 (Safety and Performance of Medical Electrical Equipment)
- Interoperability | In a connected healthcare ecosystem, interoperability is key. Certification may require devices to demonstrate compatibility with relevant communication protocols and healthcare information systems
A huge game changer is that with every change in a program, firmware or patch a IoMT device might face the need to be re-certified again. This is nearly impossible, very costly and problematic. Resulting in outdated and unpatched IoT systems. And yet those devices plays a critical role in ensuring the reliability, safety and effectiveness of connected healthcare devices, protecting patient well-being and fostering innovation in the healthcare industry.
The role of SCADA devices in hospital environments
In healthcare environments, SCADA equipment is also commonly found. For SCADA devices, availability is key.
What SCADA equipment can be found in hospitals and or healthcare environments? Think of elevators and systems for patient care and safety, such as:
- Power management systems | Devices monitoring and controlling the power distribution infrastructure in hospitals, guaranteeing uninterrupted power supply to critical areas like operating rooms and ICU
- Physical access control systems | Managing and monitoring entry and exit points in hospitals to enforce proper security measures
- Operating room control systems | Devices maintaining and monitoring the required parameters during surgery, such as temperature, humidity and air pressure
- Fire alarm systems | Managing fire alarm systems in hospitals, providing immediate notification in emergency situations
- HVAC systems | Systems regulating heating, ventilation and air conditioning
Additional challenges arise from the fact that a significant number of SCADA devices still operate using default or easily guessable passwords. This knowledge is exploited by malicious actors to carry out attacks. For more information refer here.
The intersection of 5G and IoT for revolutionized healthcare
Other challenge might lay in the fact of 5G and IoT. We are now seeing robot-assisted services, such as blood sample collection, disinfection of hospital rooms and delivery of medication. While presenting 5G and IoT, I often use the example of a fully remote surgery over 5G. In 2019, a fully remote surgery was done using orthopedic surgery robots. The COVID-19 pandemic was a huge driver for robotic investment as well as staff shortages, social distancing protocols and supply chain constraints. Due to ML and AI, we now have collaborative robots that are incredibly precise and accurate.
Patient well-being starts with security
In conclusion, a US hospital has 130 beds on average. We know that there are around 20 IoT assets per bed. This means a hospital will have a total of at least 2,600 medical IoT assets, apart from the Smart Building, Smart Office and all other assets. This poses a real risk, expanded attack surface and lots of opportunities for attackers. Properly securing IoT devices is crucial for various reasons and particularly so in the case of medical and health records. With the immense value that these records hold, it becomes essential to implement robust security measures.
One significant concern is the escalating threat of ransomware attacks. These malicious activities can compromise the sensitive health data stored in IoT devices, causing disruptions and potential harm to patients. By ensuring security and implementing stringent security protocols, healthcare organizations can minimize the risk of ransomware attacks and protect the integrity of medical records.
Furthermore, the cost associated with cyber attacks cannot be understated. Organizations that fail to secure their IoT devices may face significant financial implications resulting from data breaches, litigation fees, and regulatory penalties. Investing in comprehensive security measures can significantly mitigate these risks and safeguard the financial stability of healthcare providers.
Moreover, reputational damage is a major consequence of insecure IoT devices in healthcare. A breach in medical records due to insufficient security measures can lead to loss of patient trust and tarnished reputation for healthcare organizations.
By prioritizing certification and robust security, healthcare providers can demonstrate their commitment to patient privacy and enhance their reputation in the industry. Finally, the legal risks associated with compromised medical and health records are a growing concern. Failure to comply with data privacy regulations and safeguard patient information can result in legal consequences and litigation. Security also lifts the burden of recertification after every update or patch. By securing IoT devices, healthcare organizations adhere to industry standards and reduce the risk of legal complications, ensuring compliance with privacy laws and regulations.