Public health is a vast and complex ecosystem – as the events of the past year have made explicitly clear. Maintaining the health of millions of citizens requires multiple strands of policy, law, education, research – and, increasingly – technology and data.
Iot has shaken up the world of medical technology, improving the efficiency of patient care by linking smart devices that can communicate over an internal network, as well as bringing in data from external devices. As with any IoT solution, the proliferation of the Internet of Medical Things (IoMT) has meant that security professionals have had to find new ways to keep devices, and the data they hold, secure.
When it comes to IoMT, special consideration needs to be given to the medical context of the device's communications, such as the role of each separate unit in the medical workflow as well as controls needed to keep sensitive date secure. Put simply, it's not enough to apply a traditional IoT cybersecurity solution when dealing with IoMT devices.
The types of IoMT technology
Before expanding on the unique measures that must be taken to secure IoMT devices, it's worth taking a closer look at the sort of technology under discussion.
To keep things simple, here are the five key types of IoMT device:
- Consumer-focused, health-monitoring tech – This is where we find personal items including fitness trackers, such as the exceptionally popular FitBit. This technology can monitor the user's general health, apply a specific workout plan, and connect to other devices (such as mobile phones) using BlueTooth.
- Embedded medical devices – The likes of pacemakers and other devices that are surgically implanted into a patient, but still able to use wireless communications. Connecting to a network, such as hospital WiFi, allows for easier transfer of patient data.
- External wearables – portable, non-consumer equipment, such as insulin pumps, that use proprietary wireless protocols to send information to both patients and doctors.
- Fixed medical devices – IoMT devices that are generally hospital-based, such as cardio-monitoring systems and chemotherapy units amongst others, and use traditional WiFi networks.
- Legacy medical equipment/systems – legacy equipment and systems have typically been in place and in constant use for 15+ years. Think x-ray machines and CAT scanners. This equipment runs on older operating systems, some developed last millennium, meaning that it cannot be updated to improve security with patches.
What we need to consider for more secure IoMT
IoMT devices are typically designed with a specific purpose in mind, with security a far lesser concern than providing a more efficient, convenient, and cost effective version of healthcare for users.
The limited computer power and memory that this hardware utilises makes hosting protective EDR software difficult, making it even more important that hospitals and healthcare institutions look at their security policies and protocols in much greater detail. IoMT has made huge improvements to patient care, and its efficiency, across the board, so smart medical devices that use a hospital's internal network are only going to become more prevalent going forward. Those who have responsibility over their safe usage need to make sure that they are up to date on the latest best practice in order to ward off any threats.
Standard IT and IoT cybersecurity cannot be simply applied to devices with such limited security options. In order to be effective, security specialists must look at each individual device from a number of angles. This means not only identifying devices as they connect to the network, but also mapping out which other devices and systems they communicate with so that any issue does not impact on the wider network. Containment will be key should an issue arise.
Another necessary consideration is how critical each device is to patients. Stricter controls would be recommended for high-value, low-volume devices (such as an MRI machine) that are usually based in one hospital but used and relied upon by an entire region. Laxer security would be acceptable for the likes of x-ray equipment, as more hospitals have one on site, allowing patients to still receive the care needed in the event of compromised security by travelling to a nearby hospital instead.
In order to make these controls easy to implement, each device should be analysed and assigned privacy and patient safety rankings. Assigning a rank would allow for better, more focused management for individual IoMT devices, speeding up the process of securing the network in any eventuality.
Finally it's vital to have an understanding of how each and every device is connected through gateways, nurses' stations, servers, printers and other technology on the same network.
Knowing how many other areas will be need attention in the event of a security issue will make it so much quicker to launch an effective response, ensuring patient and data safety, while also allowing IoMT devices to carry out the essential tasks that they were designed for.