Hospitals and other critical healthcare systems face growing risks as ransomware attacks, which most often target IoT devices, continue to grow. In 2021 alone, incidents of IoT ransomware attacks targeting healthcare organizations increased by 123%.
While most healthcare systems respect the importance of securing the myriad Internet of Medical Things (IoMT) devices buzzing through their facilities, there are many misconceptions that hamper their ability to implement optimal security protections. and IoMT best practices. These misconceptions and harsh realities that healthcare organizations should instead understand and base their practices on include:
Healthcare systems too often make the mistake of believing that the security of all devices is the same and that the protections they have in place for standard computing devices, such as servers and laptops, can also effectively protect IoMT devices.
Traditional IT security cannot reliably secure IoMT devices for a number of reasons. First, many traditional security tools leverage active scanning to detect threats. But a high percentage of IoMT devices cannot withstand active scans and will fail, which could impact patient health. Tools designed to secure traditional devices are also unlikely to reliably discover and inventory IoMT devices, and cannot protect what they don’t know is there. Such approaches also lack the ability to assess or contextualize the risks associated with unconnected IoMT devices.
The best approach is to enlist a security policy intended for the task at hand. Effective security will leverage IoMT-specific MDS2 vendor data, frameworks, and disclosure statements to understand and mitigate known vulnerabilities. IoMT security also requires a thorough understanding of each Device connections and the surrounding ecosystem: These details are critical in determining whether vulnerabilities in IoMT devices represent real threats that really need to be addressed.
2) “Adding specific security to the IoMT is beyond our budget.”
IT and security decision makers within healthcare organizations are by nature budget conscious and should be. However, the real potential for attacks to affect patient health and for security breaches to result in six- or seven-figure regulatory penalties strongly supports the argument that they cannot afford not to invest in IoMT security.
Just like in the healthcare industry itself, an ounce of IoMT security risk prevention is better than a cure. And implementing effective IoMT security helps to further control costs by eliminating much of the existing expense needed to identify and remediate device vulnerabilities (as well as dramatically increasing efficiency in reporting vulnerabilities that present whether or not a real risk). IoMT security insights can also enable more efficient device provisioning, providing greater visibility to maximize the ROI of a more comprehensive security strategy.
3) “Collecting data for IoMT security purposes increases the risk of HIPAA violations.”
Certainly, healthcare systems must prioritize the security of protected health information (PHI) and compliance with HIPAA regulations. This not only protects patients, but also avoids fines and reputational damage. To ensure ongoing compliance, IT and security teams carefully enforce data sharing restrictions on all information transmitted to vendors or the cloud.
However, the idea that collecting data to inform safe IoMT practices increases the risk of HIPAA violations is false. IoMT security analysis focuses on network traffic data, which doesn’t include PHI data. Security measures can also apply filters that prevent the transmission of PHI to the cloud, and the cloud itself can be made HIPAA compliant. Using a fully on-premises IoMT infrastructure can also effectively prevent data transmission and external risks.
4) “IoMT security deployments require months of effort.”
While deploying a new electronic health records system can take an organization a full year, IoMT-specific security implementations are an entirely different path with a much faster process. IoMT security makes use of many cloud-based protections, which don’t require any of the hardware purchases or lengthy production deployments that drag out implementations in other areas. IoMT security systems that rely on edge devices can still be implemented in just a few hours. In general, deploying IoMT-specific security isn’t too tedious or tedious.
Truth: IoMT-specific security is at your fingertips.
If current trends continue as expected, ransomware and other attacks against IoMT devices will only become more prevalent. For healthcare systems, it is crucial to avoid breaches that expose data and the company itself to costly fines and crushing reputational damage. Attackers would like IT decision makers to continue to believe that IoMT is far too complex and difficult to secure properly. Fortunately, the expense and difficulty of adopting highly effective IoMT-specific security measures is not as daunting as the still common misconceptions suggest.
About Dinesh Katiyar
Dinesh Katiyar is Business Development Manager at Asimily. His technology career has included leadership roles at Glassbeam, SnapLogic, and Informatica, among others.
#Security #Misconceptions #Threaten #Healthcare #IoT #Devices