Key security challenges of IoMT devices

Hospital and clinical environments, in general, have been frequent figures on cyber intrusion lists in recent years. New research from asset visibility and security company cybersecurity/healthcare/" target="_blank" rel="noreferrer noopener">Armis has revealed the top medical and connected IoT devices that are most exposed to malicious activity.

The data analyzed, which tracked beyond three billion assets, found that nurse call systems are the IoMT (Internet of Medical Things) devices that are most at risk, followed by infusion pumps and medication delivery systems. Considering IoT devices in general, those at the top of the list are IP cameras, printers, and Voice Over Internet Protocol (VoIP) devices.

According to the research, smart hospitals are expected to deploy more than 7 million IoMT devices by 2026, doubling the number recorded in 2021. Medical and non-medical devices are increasingly connected, automatically feeding patient data from monitoring devices and recorded in electronic medical records. These connections and communications within medical environments help improve patient care, but they also make medical facilities increasingly vulnerable to cyberattacks, potentially disrupting care.

Armis’ detailed analysis of connected medical device and IoT data revealed the following information:

• Nurse call systems are the highest risk connected medical devices, with 39% having vulnerabilities and common exposure points (CVEs) of critical severity and uncorrected and almost half (48%) having uncorrected CVEs.

• Infusion pumps are in second place, with 27% having CVEs of critical severity and no correction and 30% having CVEs with no correction.

• Drug delivery systems are in third place, with 4% having unpatched criticality CVEs, but 86% having unpatched CVEs. In addition, 32% run unsupported versions of Windows.

• Almost one in 5 (19%) connected medical devices use unsupported operating system versions.

• More than half of IP cameras in clinical environments have unpatched critical severity CVEs (56%) and unpatched CVEs (59%), making cameras the types of IoT devices under the most risk.

• Printers are the second most at risk IoT device within clinical environments, with 37% having unpatched CVEs and 30% having unpatched critical severity CVEs.

• VoIP devices are in third place. While 53% of them have unpatched CVEs, only 2% have unpatched criticality CVEs.

“These figures are strong indicators of the challenges facing healthcare organizations in all parts of the world. Technological advances are essential to improve the speed and quality of treatment, as the sector faces a high shortage of healthcare professionals. However, with clinical environments becoming increasingly connected, the attack surface is growing as well. Protecting all types of connected devices, medical, IoT, and even building management systems, with full visibility and continuous contextualized monitoring, is essential to ensure patient safety,” explains Mohammad Waqas, principal healthcare solutions architect at Armis.

One of the hospitals served by Armis, for example, gained more visibility of which devices are connected to the network and how they are interacting with each other, relying on alerts based on observed behavior and firewall rules.

A large proportion of connected medical devices are unmanaged, meaning they are either unprotected or unable to use traditional monitoring tools such as security agents and scanners, according to Armis. It’s not hard to deduce, then, that cybersecurity risks are only likely to grow, and with it, the risks to the continuity of patients’ treatments.

In addition to limited control of connected medical devices, there are other cybersecurity risks for hospitals. For Armis, the top 10 security threats to the Internet of Medical Things are:

1. Sophisticated threats targeting healthcare – In the first half of 2022, as in the previous three years, healthcare was the top target in terms of data breaches, according to the Identity Theft Resource Center (ITRC). The concerns are not only with confidential medical data, but also with downtime in patient care.

2. Coexistence of OT, IT, IoT and connected medical device environments expands attack surfaces – Hacking a smart TV in a hospital waiting room, for example, can open the door to threats that move laterally across often poorly segmented and under protected hospital networks.

3. Complexity of healthcare environments – The diversity of devices and system types makes asset tracking and vulnerability management difficult. In addition, many of the devices are portable and connected to networks.

4. Medical devices do not accommodate agents-Because medical and clinical devices are intentionally manufactured as embedded hardware, they generally do not accommodate external software and consequently cannot be protected by security agents or easily updated or patched. Lack of patch management is a commonly exploited weakness as a method of attack, according to Microsoft’s Digital Defence Report 2021.

5. IoMT devices lack built-in security – Medical devices do not come with strong security controls because their design is based on desired outcomes and regulatory requirements.

6. Legacy technology with cybersecurity risks – Medical devices generally have a longer life cycle than consumer technology. Due to US healthcare agency (FDA) certification restrictions, operating systems and software running on medical devices may remain untouched and unpatched for fear of rendering them inoperable or affecting patient care.

7. Vendor-managed servers impede visibility of medical assets – Medical device manufacturers are taking new approaches by creating their own managed networks, i.e., an isolated part of hospital networks. For example, a vendor may have 30 patient monitors behind a proprietary gateway, creating different layers of visibility.

8. Scans and NAC do not understand context – Vulnerability scanning systems do not provide continuous, real-time monitoring. In addition, they rely on common vulnerability scoring systems (CVSS) and cannot understand context. Other methods, such as network access control (NAC), also fail to examine device behavior.

9. Scans can disrupt care – Medical devices have different levels of sensitivities, so it is not known how a specific system will respond to vulnerability scanning systems.

10. Weak segmentation between clinical and IT networks – A typical hospital network is split between biomedical and IT security teams, creating silos. Virtual networks often keep the two sides separate, but are not designed to ensure security.