When you step back and consider the patient journey in today’s healthcare environments, vulnerable clinical use assets are everywhere. Starting in admissions, patients encounter everything from check-in kiosks and tablets to copiers and scanners to security cameras.
During treatment, the vulnerable connected assets can range from CT/MRI scanners, and wireless patient monitors to the pneumatic tube systems used in lab specimen transport and even building management systems regulating operating room environments. During post-treatment care, all kinds of smart devices, including virtual assistants and TVs, come into play. Advances in patient care innovation have also extended the asset ecosystem beyond facilities, including remote wellness and chronic disease monitoring devices.
A multilayered security challenge
It’s indisputable that connected medical devices and IoMT, IoT, and other smart assets are essential to improving and innovating patient care. Still, they also pose security risks and management challenges on multiple levels.
- Lack of visibility and inventory capabilities: All security frameworks and programs begin with the foundational requirement of a complete asset inventory. The challenge with medical device security is that security teams typically focus on traditional enterprise assets they know. Traditional security controls such as asset inventory agents and network discovery scans don’t work on unmanaged devices or may miss transient devices. How can you secure your network?
- Inherent security control limitations: Beyond asset visibility, each medical device has inherent security challenges. Whether they’re running a proprietary OS and can’t take agents, or they are vendor certified and cannot install Windows patches, the options of securing clinical assets at the device level are often limited. So how can your organization secure these vulnerable devices against an ever-growing threat landscape?
- Contextualized clinical and device risk: Add in the critical nature of these devices, and you’ll find healthcare has specialized risk assessment requirements, namely factoring in the clinical context of devices into a traditional security assessment approach. Beyond technical CVEs, it’s essential to know how the clinical context and behaviors of a device elevate its risk compared to other assets.
Prioritizing IoMT security, cyber asset visibility
The problem is that inconsistent medical, IoMT, and IoT asset security makes healthcare delivery organizations ideal targets for attackers. And without the ability to fully visualize the asset landscape and identify and respond to emerging risks and threats in real-time, the patient journey is full of critical vulnerabilities. Here’s why complete cyber asset visibility needs to be a top priority.
At least 50% of devices in most healthcare delivery organizations are unmanaged or IoT assets that don’t support security agents.
Upwards of 63% of organizations dealt with one or more security incidents related to unmanaged and IoT devices.
Attackers covet medical records because they contain a wealth of information for identity theft. More than 40 million patient records were compromised in 2021 alone.
Ransomware remains pervasive in healthcare, jeopardizing patient care while potentially costing hospitals millions in payouts and reputational damage.
Cyber-physical attacks on things like smart uninterruptible power supplies (UPS) and building management system devices pose risks to patients and facilities.