Healthcare facilities such as hospitals become increasingly ripe targets for attacks as they depend on Internet of Medical Things (IoMT) devices and connected equipment to modernise infrastructure and deliver better patient care. The rapid proliferation of these devices has often come with security as an afterthought, at best.
Last year’s Tenet Healthcare cyberattack, which resulted in US$100mn in lost revenue and mitigation costs, is just the latest cautionary tale warning healthcare providers to put their IoMT security and incident response houses in order. In IoMT cyberattack post-mortems, expert evaluation often points to a lack of basic security hygiene as the root cause, with backdoors found in debugging logs, use of default password hashes, and soft authentication methods serving as egregious (but concerningly common) examples.
Given the stark risks involved (both from financial and patient outcome perspectives), many healthcare organisations ought to be taking IoMT device security more seriously. Here are six current IoMT security best practices that will make an impact:
1) Build cybersecurity readiness into operational workflows
Healthcare IT and security teams in hospitals and other healthcare facilities should be able to rapidly recognise and mitigate attacks—and that requires prudent policies and preparedness. Teams should proactively perform regular system audits and directly address any security gaps those audits discover. Information system architecture security should also undergo regular evaluation as the first line of defense against threats to IoMT infrastructure. Implementing thoughtful security policies and effective threat detection will meaningfully accelerate incident responses.
2) Implement effective (and IoMT-specific) monitoring and detection
Anomalous traffic often offers early indications of nefarious activity. Armed with a baseline understanding of normal IoMT device behavior, security teams should implement policies to identify and respond to abnormal behavior. These policies should also account for the unique attributes of the healthcare organisation’s network, to further differentiate any traffic that carries concealed threats. Detection that enlists threat modeling, machine learning, and crowdsourced intelligence will enhance proactive policies and response speed. (Basic network threat detection isn’t likely to be sufficient or detect nearly as much as a system that considers IoMT devices in context.) Integrating SIEM and SOAR tools within a simple playbook strategy, and collaborating with researchers working to identify IoT security threats will similarly improve threat detection, and, ultimately outcomes.
3) Enable robust threat investigation tooling and procedures
With a recognised threat at hand, information becomes crucial. Security teams must be equipped with a 360-degree understanding of how their IoMT devices communicate with each other and be able to track emerging attacks across those communications. Again, understanding protocols and baseline behaviors—even down to the expected size of data transfers—makes it possible to flag anomalies. Regular network packet data captures can provide rapid alerting to flag any unexpected changes. It’s then critical to share those insights with clinical teams, in case any impacts on IoMT devices (that could affect patient care) need to be addressed.
4) Prepare swift and thorough attack responses
Cyberattacks need to be defeated quickly and completely. Prepared and practiced reactions should allow security teams to isolate devices under suspicion, confirm the attack, and eliminate any remote access that attackers may have established.
Any fallout from an attack must be addressed: for example, if an employee unwittingly triggered a phishing campaign aimed at stealing their credentials, change those credentials right away. Eliminate attack entry points by patching any recognised vulnerabilities. Vector mitigation and network segmentation may also prove useful tactics if patching doesn’t suffice.
5) Recover and analyse the incident in its aftermath
Recovering from a cybersecurity incident requires time, and the more severe the attack, the longer the recovery. Healthcare organisations should remain on guard from an operational safety standpoint while security teams complete the especially-vulnerable recovery phase. Security teams should also collect all available data to inform forensic and post-incident analyses, which will in turn inform enhancements to security practices, policies, and employee training. Learning the right lessons from an attack can make all the difference in preventing the next one.
6) Practice with regular exercises
With refined strategies in place, security teams should regularly put them to the test with preparedness and mitigation exercises. The Homeland Security Exercise and Evaluation Program (HSEEP) offers an effective set of guidelines for gauging security readiness. Testing across various attack scenarios can also help to illuminate security challenges. External specialists and white hat entities can also help in stress-testing IoMT systems and improving protections.
Continuously improve IoMT security measures
Cybersecurity attacks on IoMT infrastructure and devices are inevitable, but their success or failure is not. For security teams at healthcare organisations, the ultimate best practice is vigilance. Continuing to refine IoMT security tools, policies, and practices—and proactively adapting to new learnings and shifts in attack methodologies—are the keys to a secure IoMT at scale.