Much like smart devices have infiltrated and helped spaces like industrial operations and the enterprise, IoT has taken hold in healthcare. The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organizations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process. All of this was on full display earlier this month at the annual HIMSS (Healthcare Information and Management Systems Society) Conference in Orlando.
But there’s a big caveat for all the good IoMT can offer. Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional.
The Issue at Hand
Healthcare providers are beginning to experience higher scrutiny with the prevalence of cyber attacks on healthcare organizations. WannaCry ransomware did significant damage in 2017. Both management systems and medical devices were directly infected, interrupting healthcare services and placing patients at risk. Britain’s National Health Service (NHS) experienced the worst of it, at one point resorting to good old pen and paper. According to reports, the attack cost the NHS almost £100 million and the cancellation of 19,000 appointments. The interesting part is that it wasn’t even the direct target of the attack. Locking down NHS systems was just collateral damage. Imagine if it had been done with intent and precision.
The incident prompted medical device manufacturers to release security advisories. The FDA in the U.S. also provided its own recommendations. But companies are not obligated to follow them as they are guidelines and not legal mandates. Due to the lack of legal consequences, many manufacturers are not incentivized to add provisions about medical device security in their contracts. Ultimately, healthcare providers using these medical devices are placed in a compromising position, dealing with the aftermath of breaches and cyber attacks due to the general poor risk management.
It’s in the Legacy
But where do these issues stem from? Healthcare organizations believe that most of their security woes come from the flaws in legacy devices more than their implementations — a debatable topic. But digital technology does become old fast, unlike its hardware counterparts, leading to risk for both healthcare providers and patients as updates are slow to roll out and inconvenient to implement over time.
Additionally, manufacturers don’t allow customers to troubleshoot or patch devices, sometimes voiding warranties if customers do. Add this to devices often lacking encryption and the use of hard-coded credentials, and you have a recipe for potential disaster that is only made worse by generally lax security controls in the healthcare space.
Best Practices Matter
Beyond manufacturer-related security issues, organizational lapses can also negatively affect security. Gaps in security ownership, coupled with poor asset and inventory visibility, actually lead to the greatest risk of a breach, according to a recent KLAS/ CHIME benchmarking report.
The key to nipping the issue in the bud is to establish a centralized security strategy to anticipate and prevent potential threats, and bridge any gaps across operations. At the core of this effort should rest a robust technology stack that helps manage data, privacy and orchestration of all connected devices and related data. Going back to basics is important. You can’t improve on a system that’s already broken. The importance of ensuring IT deployments experience near 100 percent uptime, are protected against security threats, and are set up to be scalable cannot be overstated.
How do you do this? It’s about the efficient use of data. The very same data being generated by IoMT devices can be used for monitoring, creating baselines and generally providing a better window into a healthcare organization’s IT setup. With a clearer view into the inner IT workings of a healthcare organization, patient outcomes can improve, fraud can be curbed by noticing anomalous behavior and even billing errors can be avoided with the monitoring of HL7 data transactions.
New technology like IoMT in any space is always a double-edged sword. But the onus is not on manufacturers alone. It’s up to healthcare organizations to take the initiative to manage and secure their environments.