The Internet of Things is a phenomenon with which healthcare CIOs, and just about everybody else, are by now quite familiar. Smartphones can control the lights in homes and manage security systems, for example. In healthcare, implanted medical devices can communicate with providers via the web.
But there’s still a big learning curve ahead for IoT, especially with regard to security.
“Since data is the coin of the realm in healthcare, this phenomenon has been embraced by makers of medical equipment and has spurred innovation in a great many cases,” said Matthew Broomhall, CTO of technology support services for healthcare at IBM. “If you contrast this to information technology as we understand it today, IT has had years to implement programs to protect IT assets and data.”
But while that has matured, the management and protection of the Internet of Medical Things is not yet at the same maturity level, he said. CIOs and CISOs now must accelerate programs to insure their medical devices are protected and therefore the data these devices generate and exchange.
Unlike classical IT with servers in a data center and computers at nursing stations, medical devices can be highly mobile and accessible in a way that should concern CIOs. Often, the location of the device inventory is not well understood and can be very hard to be precise with.
“With classic IT, for the most part, software is part of the operating system image that permits management and protection,” Broomhall said. “There are very mature products from many vendors and well understood methodologies that when followed with rigor, protect the hospital’s IT assets. However, the growing inventories of connected medical devices – many of which interact with the rest of the IT environment – are not as well protected and represent a potential threat vector.”
Any FDA-regulated device has additional protections applied that mean an IT organization cannot simply install anti-virus software or other agents on the devices for management and protection, he explained. FDA certification implies the very specific operating system, software or firmware as the means by which the device performs its prescribed functions and in the process contributes to patient care, he said.
“A clinical system is not permitted to upgrade an operating system or software to current releases, since from an FDA perspective, the device is no longer what was certified for patient care,” he said.
Take a CT scanner using Windows XP, for example. While it was the OS when the device was certified, Microsoft no longer supports it, yet hospitals are not permitted to upgrade the device’s OS.
While an oversimplification, that is a common challenge. An out-of-support operating system, or firmware with exploitable security flaws, can then not only become a threat vector, but a threat to patient safety, he added.
There are several factors at play. Medical devices tend to remain in use longer than typical IT equipment. If a device was delivered as new with an already out-of-date operating system, that exposure could remain for the life of the device unless the OEM updates the device and obtains FDA approval for the updated device, which carries a much longer cycle time than standard IT equipment, Broomhall said.
“Fortunately, CIOs do not need to wait to take action,” he said. “CIOs can develop a systematic approach to locate, assess and patch as needed and permitted all devices using their computerized maintenance management system as the starting point for an inventory. They can also implement additional measures to protect devices from malicious intent.”
At a high level, healthcare providers can take steps including discovery, analysis and remediation, he explained. For discovery, this is essentially taking inventory to know where devices are located within the clinical footprint, and what embedded information technology is running on them.
“Analysis provides the understanding of patches being up to date or not and are there compensating controls in place as well as a risk assessment based on what is found for each device type,” he said. “And remediation is the guidance for what steps should be taken to remediate the devices and the environment they reside in from an IT security perspective.”
So what would be the No. 1 takeaway for security teams, according to Broomhall?
“Healthcare organizations have been hacked and held hostage,” he said. “Discretely threatening medical devices is a very target-rich environment for people who wish to do others harm, or harm a particular hospital. When this happens and patient safety is compromised, there will be collateral damage to the health system’s reputation and ultimately the bottom line.”
His advice, he said, is simple: Don’t assume the problem will go away by waiting for new and better devices to enter inventory – one will forever be chasing a moving target.
Broomhall is scheduled to speak at HIMSS19 session titled “Mitigating the Next Generation of Risk – Connected Devices.” It’s scheduled for Tuesday, February 12, from 4:15-5:15 p.m. in room W207C.
IBM will be in booth 400 and 6459.