Adding to the list of unwieldy cybersecurity terms and phrases the world has to inevitably become familiar with is “internet of medical things (IoMT) security.”
As the healthcare industry embraces connected and smart devices more broadly, it has become imperative to be mindful of cybersecurity.
Healthcare facility administration is no longer limited to sanitizing tools from pathogens but also keeping connected devices secure from various cyber threats.
The IoMT market has expanded significantly over the years, projected to grow by 22.2 percent CAGR for the period 2021 to 2028.
The number of connected devices deployed for community healthcare systems, conventional healthcare facilities, and home and personal use has already become too many to be ignored.
They constitute broad cyberattack surfaces that appear highly enticing for cybercriminals.
It is worth noting that the global healthcare cybersecurity market is projected to grow at a comparable rate at 19.1 percent CAGR.
It would not be a stretch to say that there is a commensurate need to keep up with the security needs that come with the more widespread use of IoT devices in the medical or healthcare field.
Post-Market Surveillance for Medical Devices
One of the most noticeable examples of how IoMT is becoming more relevant than ever is the rise of solutions for post-market surveillance for medical devices.
Nowadays, IoT medical device security is not only a concern for users. Manufacturers of such connected devices are also compelled to ensure that their products are adequately secure.
One of the major reasons for this is the growing involvement of regulators in medical device cybersecurity. The proposed FDA law that sought to include may have passed without the cybersecurity requirements for medical devices, but there are pending bills aimed at addressing this need. “S.4336 – Strengthening Cybersecurity for Medical Devices Act,” for one, aims to mandate the FDA to be actively involved in medical device cybersecurity.
It also aims to require the Government Accountability Office to report on cybersecurity challenges for medical devices.
Through post-market surveillance, the government and IoTM manufacturers are expected to work hand in hand to monitor and ensure the effectiveness and security of connected devices used in the healthcare field.
Instead of focusing on pre-market regulation, there is a shift towards post-market oversight and regulation. Proponents of shift argue that the data collected and evaluated in post-market surveillance are more representative of the real situations devices are subjected to and the outcomes they deliver.
They present more substantial data on the effectiveness and security of the deployed products.
Moreover, medical device manufacturers acknowledge the importance of conducting post-market clinical follow-up (PMCF), which aims to systematically collect clinical data on medical device usage and outcomes to assess the proper use of the devices and the benefits and risks associated with them.
Organizations may need to conduct PMCF if they are introducing novel technology or if there are high product-related risks involved.
‘Unique’ vulnerability
A congressional report recently raised the alarm on how the healthcare sector is “uniquely vulnerable” to cyberattacks.
“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” the report writes.
The healthcare industry presents distinct challenges because of the added risk to patient safety.
One of the major issues cited in the report is the use of devices that do not have the capabilities to resist cyberattacks. Many healthcare facilities continue to use electronic gadgets not designed to resist modern cyberattacks, especially those that connect to the internet and other devices.
The software used in connected medical devices is of particular interest. “As software developers retire older versions of software and no longer patch these products, more medical devices are left vulnerable to attacks,” the report notes.
It cites one prominent software vendor that reportedly learned that its end-of-life app was still being deployed by a major healthcare IT vendor. This is a highly risky practice that threatens not only the operations of a healthcare facility but the lives of patients.
One important part of the report’s recommendations is the restriction of the sale of medical devices with obsolete software or applications that are not capable of dealing with modern cyber threats. Another recommendation is the requirement for medical device makers to prepare software bills of materials (SBOM) to be submitted to the FDA and to end users of the devices being sold.
Legislators and regulators are taking a keen look at the cybersecurity situation in the healthcare industry. The threats have serious consequences that can directly affect people’s lives.
These threats do not only pertain to stolen personal data but also the possibility of medical device malfunctions and remote manipulation that can endanger patients.
Larger-than-life threats
How serious is the IoMT cybersecurity threat? One report (by a healthcare cybersecurity provider) puts out an alarming number: 56 percent of hospitals reportedly admit that their IoMT devices have been attacked in the past couple of years.
This is a significant majority of healthcare institutions. This shows that cybercriminals see IoT devices as viable attack targets, and many appear to be unprepared.
Another worrying finding from the above-mentioned study is 24 percent reported mortality increase in hospitals that have suffered cyberattacks. While broader and longer-term studies are needed to establish the correlation more convincingly, it is not irrational to think that cyberattacks on healthcare facilities and mortality rates are related.
Other concerning findings from the IoMT cybersecurity study are the attribution of 88 percent of data breaches on hospitals to IoMT devices, the presence of at least one crucial security vulnerability in 53 percent of IoMT devices, and the propensity of some 47 percent of hospitals to give in to the demand of ransomware perpetrators.
Among the most common IoT devices used in the healthcare setting are connected IV pumps, which reportedly make up 38 percent of an average hospital’s IT footprint.
Over 70 percent of these connected IV pumps are said to contain vulnerabilities that can be exploited by hackers and other threat actors.
Taking threats seriously
The threats to the medical or healthcare industry have considerably risen with the adoption of more connected devices or the Internet of Medical Things.
The silver lining in this worsening cyber threat situation, though, is that security providers and regulators are stepping up to offer suitable or targeted solutions.
The emergence of post-market surveillance for medical devices and legislation aimed at tightening healthcare device cybersecurity show how serious the problem is and how the private and public sectors are working together to tackle the threats effectively.
