Zero-Trust Stands as a Secure Foundation for IoMT

But with such rewards, there are also risks: Connected medical devices “can enhance the attack surface for things like data manipulation, compromising devices and ransomware,” Pearson says.

The White House Office of Management and Budget has instructed most federal civilian agencies to adopt some level of zero-trust architecture by the end of fiscal 2024. At VA and other federal agencies that manage healthcare data, a range of technologies work together within a zero-trust framework to ensure patient information remains safe and devices can function securely with little danger of cyber intrusions.

Why Legacy Devices Persist in Healthcare

Beyond the vulnerabilities inherent to all IoT technologies, connected medical devices create new risks, not only for patients who rely on them but also for the systems they connect to when transmitting sensitive patient data. Frequently, unpatched software and firmware only heighten the risk.

“Historically, medical device manufacturers were reluctant to upgrade system software because doing so triggered expensive safety and performance review clearance processes,” says Lynne Dunbrack, IDC group vice president for the public sector.

The FDA, which approves medical devices, echoes those concerns: Outdated devices “can pose significant risks to the healthcare sector,” says Jessica Wilkerson, senior cyber policy adviser and medical device cyber-security team lead for the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “Legacy devices were legally put on the market and may still be broadly in use. However, cybersecurity controls that may have been effective at their point of purchase may no longer be adequate now.”

The Government Accountability Office has asked the FDA to update an agreement with the Cybersecurity and Infrastructure Security Agency to ensure more effective coordination on cybersecurity and the security of medical devices.

LEARN MORE: Follow these best practices to improve cyber resilience in healthcare.

Proactive Medical Device Security Starts with Zero Trust

“Each vulnerable connected device offers a different pathway, or potential pathway, for malicious actors to either access patient data or disrupt healthcare operations,” Pearson says.

The sheer scale of IoMT device use adds additional layers of complexity: “A typical 500-bed hospital has more than 100,000 connected medical devices to secure and manage,” Dunbrack says. “Haphazard security patching, lack of system hardening, hard-coded or default passwords and embedded operating systems that are no longer supported” only compound the problem if standard, common-sense security practices are not followed.

Securing the devices is no small challenge, particularly given the variety of software individual devices might run, not to mention hardware limitations and communication protocols, Pearson says. That is why the VA takes a proactive approach to medical device security, she says, beginning with a zero-trust framework.

“We’ve moved beyond protecting the perimeter to employing multiple tools and technologies across our network,” Pearson says, including a network access control solution to securely isolate and segment user and device access to network resources.

“This solution helps with fingerprinting network traffic for IoT and IoMT devices. It helps us identify and gain visibility into what devices are on our network and what resources they can access, and allows us to proactively limit network traffic for unauthorized and unknown devices,” she says.

VA also uses a data protection strategy that relies on encryption at rest and in transit, she adds.

“We look at integrating IoT device data with vulnerability assessments, endpoint security and device compliance” to not only identify vulnerabilities but also understand what can be detected, Pearson says.

Evolving Security by Mixing Technologies

Large healthcare organizations typically turn to a range of technologies to secure connected medical devices. For example, Palo Alto Networks Medical IoT Security is specifically designed to protect critical connected medical devices, while integration with Palo Alto Networks’ Next-Generation Firewalls and Prisma Access offers highly granular policy enforcement.

Cisco offers several solutions that can secure medical devices by identifying all devices entering a network and then segmenting the network to protect those devices — and medical records — from threats. Cisco’s Medical Network Access Control helps hospitals detect threats through behavior monitoring.

VA looks to a broad mix of technologies and evolving approaches to security while also relying on tried-and-true protections such as next-generation firewalls and cloud access security brokers, “things that help align to zero trust and more granular access controls,” Pearson says. “When we provide that secure access to specific applications, we leverage that at a granular level for device authentication and authorization. That allows us to minimize that blast radius of our fragile devices.”

Threat Modeling Helps Pinpoint Security Objectives

FDA encourages an all-hands approach to medical device security.

“The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks,” Wilkerson says.

Manufacturers should complete a threat model that identifies security objectives, risks and vulnerabilities across the medical device system before they define countermeasures to prevent, mitigate, monitor or respond to the effects of threats to the medical device system, she says.

FDA has taken regulatory steps to clarify the role of device manufacturers. In spring 2024, the agency proposed updates to its guidance to medical device makers, in part to provide FDA’s recommendations and interpretations of recent, explicit cybersecurity regulatory authority that the agency received. After a feedback period, which was expected to close May 13, the agency will update its existing final premarket cybersecurity guidance to include the information and content from the update.

Meanwhile, federal agencies and other healthcare providers can take their own steps to build a more secure IoT environment, starting by exploring available commercial solutions, Gartner Senior Research Director Ruggero Contu says. “There is a well-established marketplace of medical device security solutions that are specifically geared toward improving that visibility through asset discovery and monitoring healthcare networks to detect those devices,” he says.

EXPLORE: How to best navigate zero trust implementation.

Based on the asset data discovered, health systems can assess all risks before determining the best way to secure them; for instance, through segregation or configuration improvements, Contu says. At VA, early intervention has allowed the agency to ensure all of the devices entering its ecosystem align with its secure-by-design approach, Pearson says. The agency has looked at ways to modify its procurement and contract services language to require assurance from providers that their products are secure.

“Security gets a little bit easier if you clarify requirements up front and make sure you know what you’re getting before devices are in production,” she says. “To be able to respond to incidents, you need to understand exactly how your data is being protected, what the capabilities are and how it’s limited.”

She advises other agencies to work to drive stakeholder buy-in across the care delivery system: “A lot of times, people don’t understand why security has to be in place,” she says. “We socialize all of our security objectives and key results with our partners across VA and meet regularly to discuss progress and challenges to meeting those OKRs We lay out a plan and monitor it closely, tracking
how we are trending in critical areas.”

With everyone in the loop, “we’ve seen progress in achieving our security outcomes.”