Why Security Misconceptions Are Threatening Healthcare Systems’ IoT Devices

Dinesh Katiyar, Head of Business Development at Asimily

Hospitals and other critical healthcare systems face skyrocketing risks as ransomware attacks—which most commonly target IoT devices—continue to escalate. In 2021 alone, IoT ransomware attack incidents targeting healthcare organizations increased by 123%

While most healthcare systems have a healthy respect for the importance of securing the myriad Internet of Medical Things (IoMT) devices humming within their facilities, many harbor misconceptions that hamper their abilities to implement optimal IoMT security protections and best practices. These misconceptions, and the stark realities that healthcare organizations should instead understand and base their practices upon, include:

Healthcare systems too often make the mistake of believing that all device security is the same—and that the protections they have in place for standard IT devices, such as servers and laptops, can also effectively protect IoMT devices. 

Traditional IT security cannot reliably secure IoMT devices for a number of reasons. First, many traditional security tools leverage active scanning to detect threats. But a high percentage of IoMT devices can’t withstand active scans and will crash, potentially impacting patient health. Tools designed to secure traditional devices are also unlikely to reliably discover and inventory IoMT devices, and cannot protect what they don’t know is there. Such approaches also lack any ability to assess or contextualize risks associated with non-connected IoMT devices.

The better approach is enlisting a security strategy intended for the task at hand. Effective security will leverage IoMT-specific data, frameworks, and MDS2 manufacturer disclosure statements to understand and mitigate known vulnerabilities. IoMT security also requires a thorough understanding of each device’s connections and surrounding ecosystem: these details are essential to determining whether IoMT device vulnerabilities represent true threats that actually need to be addressed. 

2) “Adding IoMT-specific security is beyond our budget.”

IT and security decision-makers within healthcare organizations are inherently budget-conscious—and need to be. However, the real potential for attacks to impact patient health and for security shortcomings to result in six or seven-figure regulatory penalties strongly supports the argument that they can’t afford not to invest in IoMT security. 

Much like in the healthcare industry itself, an ounce of IoMT security risk prevention is worth a pound of cure. And implementing effective IoMT security enables further cost controls by eliminating much of the existing spending needed to identify and fix device vulnerabilities (as well as vastly increasing efficiency by flagging the vulnerabilities that do and do not pose an actual risk). IoMT security insights can also enable more efficient device procurement, offering greater visibility for maximizing the ROI of a more comprehensive security strategy.

3) “Data collection for IoMT security purposes increases HIPAA violation risks.”

Certainly, healthcare systems must prioritize the security of protected health information (PHI) and adherence to HIPAA regulations. This doesn’t just protect patients, but also avoids both fines and reputational damage. To continually achieve compliance, IT and security teams carefully enforce data sharing restrictions upon any information transmitted to vendors or the cloud. 

However, the notion that collecting data to inform secure IoMT practices raises the risks of violating HIPAA is false. IoMT security analysis focuses on network traffic data, which doesn’t include PHI data. Security safeguards can also apply filters that prevent transmission of PHI over the cloud, and the cloud itself can be made HIPAA compliant. Using a fully on-premise IoMT infrastructure can effectively prevent outside data transmission and risk as well.

4) “IoMT security deployments require months of effort.”

While deploying a new electronic health records system might take an organization a full year to complete, IoMT-specific security implementations are an entirely different path forward with a much swifter process. IoMT security enlists many cloud-based safeguards, which require none of the hardware procurement or lengthy production deployments that drag out implementations in other areas. IoMT security systems that do rely on edge devices can still be implemented in just hours. In general, there’s nothing overly cumbersome or drawn out about deploying IoMT-specific security.

The truth: IoMT-specific security is within reach.

If current trends continue as predicted, ransomware and other attacks on IoMT devices will only become more frequent. For healthcare systems, avoiding breaches that expose data and the business itself to costly fines and crushing reputational damage is crucial. Attackers would love for IT decision-makers to continue believing that the IoMT is far too complex and challenging to secure properly. Fortunately, the expense and difficulty of adopting highly effective IoMT-specific security measures aren’t nearly as daunting as the still-common misconceptions suggest.

About Dinesh Katiyar
Dinesh Katiyar is Head of Business Development at Asimily. His career in technology has included leadership roles at Glassbeam, SnapLogic, and Informatica, among others.