Securing the Internet of Medical Things
The Internet of Things (IoT) is a vast and growing category, comprising every internet-connected device that is not a traditional end-user device like a laptop, phone, or tablet, etc. Everything from your smart TV and fridge to rooftop solar systems and industrial control systems used in manufacturing, critical infrastructure, and utility management is part of IoT.
Security for IoT devices is every bit as important as it is for your corporate network and end-user devices — and in many cases it is considerably more important because compromised devices could lead to real-world physical destruction and injury. Nowhere is this more true than in the subset of IoT consisting of medical devices.
IoT in the healthcare industry
The Internet of Medical Things (IoMT), also known as Healthcare IoT (HIoT) and Medical IoT (MIoT), is a subset of IoT that includes devices and applications that make healthcare data management and the provision of services more efficient and accurate. IoMT devices let physicians access and share real-time patient data easily, and connected health-monitoring devices — including wearables, implants, and home-based devices — can generate instant alerts when interventions may be warranted. The life-saving potential of IoMT cannot be overstated, and there is no doubt that it will continue to deliver very significant improvements to healthcare delivery going forward.
The COVID-19 pandemic has spurred faster development and adoption of IoMT, as telemedicine and remote-monitoring applications offer safer alternatives to in-person services.
Despite the benefits and promise of IoMT, it presents significant and unique security challenges that must be addressed to avoid consequences ranging from fines for regulatory noncompliance to real-world injury or death of patients
- Legacy devices designed without security in mind. Medical devices are still in service that were designed well over a decade ago. Designers may have assumed that security would not be a concern or a high priority. And even devices that were secure when first deployed may be unable to counter more recently developed threats and vulnerability exploits.
- Identical configurations are repeated across all units. Whereas PCs and other endpoint devices can use a wide variety of configurations and software, medical devices may be distributed in millions of units with identical configurations, meaning that a successful attack on one device may be repeated successfully across all devices of the same type.
- Patching and updating can be difficult. Medical devices have traditionally been produced with fixed, proprietary software that was never intended to be updated or patched to address security vulnerabilities. While it may be possible to perform updates, it can be difficult and time-consuming, requiring comprehensive testing to ensure the safety of patients and protected data. Manufacturers may be reluctant or unable to devote adequate resources to the process.
- Access controls may be inadequate. Medical devices are usually designed to be accessed easily by a wide range of medical and administrative staff. Malicious insiders can easily expose protected data, and a compromised user account — the result of phishing, impersonation, malware, etc. — can result in a costly breach or allow an attacker to take control of the device itself, with potentially devastating results.
- Network security measures may not extend to remote devices. When medical devices are deployed off-site, for example in patients’ homes, legacy network firewalls may not be able to extend protection beyond the borders of the corporate network.
Mitigating IoMT risks
Adoption of IoMT by healthcare organizations is increasing steadily. But concerns about security, and a shortage of IT expertise and resources, are moderating the pace of that adoption. That being said, the technologies and strategies required to minimize security risks are readily available. These include:
- Advanced, cloud-delivered network firewalls – Today’s modern network firewalls, including Barracuda CloudGen Firewall, let you easily extend comprehensive security both within and outside the corporate network, including advanced scanning of all inbound, outbound, and intra-network traffic. In addition, they enable network segmentation to isolate monitoring devices, e.g., from stores of sensitive data, so that even if criminals manage to compromise a device, they still don’t gain access to the valuable data they are seeking to steal.
- Zero Trust Network Access (ZTNA) – Highly advanced Zero Trust Access control solutions such as Barracuda CloudGen Access use continuous monitoring of multiple factors such as geolocation and device ID to prevent unauthorized access and enforce granular role-based permissions even when valid credentials have been stolen.
- Advanced application security – Modern web application firewall (WAF) solutions, such as Barracuda WAF-as-a-Service and Cloud Application Protection, bring unprecedented ease-of-use to a set of technologies that have traditionally been considered complex and difficult to deploy and configure. This lets you deploy new applications that interface with IoMT devices with confidence.
- IoT security appliances – Specialized security appliances designed to be deployed at the individual device, such as Barracuda Secure Connector and Secure Access Controller, provide state-of-the-art security while allowing temporary VPN connections to enable third-party maintenance and updating, dramatically improving the security of potentially non-secure legacy devices.
Considering the major benefits to patients, providers, and organizations, IoMT is certain to continue growing as a driver of innovation in healthcare. But its growth must be accomplished in a context of highly reliable security. To remain competitive and ensure ongoing regulatory compliance, healthcare IT departments and professionals must commit to a thorough audit of IoMT devices and their security vulnerabilities, in order to create a strategy that eliminates security gaps and allows for rapid deployment of new technology-enabled services.
For assistance and guidance on how to get started, please contact your Barracuda rep or technology reseller soon.