Government inaction adds pressure to IoMT device and data security

It’s now become an unfortunate reality that U.S. hospital systems and other healthcare delivery organizations must look solely to their own leadership on Internet of Medical Things (IoMT) device and data security, as new legislation won’t be doing them any favors. With vulnerable IoMT devices a particularly popular pathway for ransomware and malware, the government’s relative inaction is worrisome.

Healthcare security legislation, watered down

Many hospitals have championed the inclusion of medical device security provisions in this year’s appropriations bill responsible for funding the U.S. Food and Drug Administration (FDA) and reauthorizing FDA user fee programs.

In June, a version of the bill that would have placed new legally binding security requirements on IoMT device manufacturers easily passed in the House of Representatives. That bill would have — and should have — held manufacturers responsible for assessing the cybersecurity of their internet-connected devices before bringing them to market. It would also have required them to provide a software bill of materials (SBOM) for transparency and greater security insights into device software components and vulnerabilities.

However, those device security provisions were stripped out of the version of the bill that passed at the end of September, as FDA funding was set to expire and disappointing compromises were carried out against the clock.

The PATCH Act

Hope isn’t lost for IoMT security requirements at the federal level. Introduced in March, the Protecting and Transforming Cyber Health Care (PATCH) Act would impose similar requirements. Device manufacturers would have to demonstrate cybersecurity precautions to the FDA before going to market; provide transparent SBOMs; and deliver timely device security updates throughout their products’ lifecycles.

In June, the PATCH Act was endorsed by the American Hospital Association, which represents nearly 5,000 healthcare delivery organizations and millions of healthcare professionals.

While medical device security proponents rightfully view the watered-down FDA appropriations bill as a frustrating missed opportunity, efforts such as the PATCH Act and others that enforce security at the manufacturer level will certainly continue.

But attackers aren’t waiting patiently while lawmakers get their act together (whether it’s PATCH or another measure). They are continuing to launch daily attacks on IoMT devices rife with vulnerabilities. With the government cavalry not coming to the rescue, the industry needs to rely on its own wherewithal to secure its internet-connected devices and systems as effectively as possible.

Healthcare security faces daunting IoMT challenges

Healthcare security teams are up against challenging limits. The industry largely depends on especially heterogeneous fleets of medical devices, with technology implementations ranging from the state-of-the-art to the woefully outdated. Traditional device security scanning to detect threats is often inapplicable because such scans will crash legacy devices.

Among the IoMT devices increasingly ubiquitous in many healthcare delivery environments, device manufacturers publish 2,000 to 3,000 vulnerabilities in an average month. But publishing vulnerabilities is one thing; actually patching them is another story. Even the most dutiful manufacturers patch just one in 50 of those vulnerabilities.

Network segmentation isn’t a strong option either since, without frequent maintenance, the addition of new devices inevitably erodes segmentation into a flat network.

The biggest limitation of all is one that distinguishes healthcare security from any other industry: Security teams can’t unilaterally deactivate vulnerable IoMT devices. Instead, they must balance their concerns with clinicians, because devices may be essential to patient experiences; even outcomes.

Security teams can easily exhaust their resources attempting to mitigate every device vulnerability in their environments, without achieving comprehensive results.

Zeroing in on the true IoMT threats

That said, there’s a great opportunity for healthcare delivery organizations’ cybersecurity teams to efficiently solve these security issues. According to exploit analysis, 90% of vulnerabilities in a given IoMT environment don’t actually present any risk.

This is because medical device exploits closely depend on the use case and the software components that are used in normal operation. Attackers carefully explore these factors, and will exploit the same vulnerability using different tactics based on what’s possible in a given scenario. Security teams can use the same approach to vastly narrow the battleground they must defend, accurately recognizing their true risks and concentrating resources on addressing the actual threats at hand.

The future of government leadership on enforcing medical device security at the manufacturer level is up in the air, and, realistically, it may remain so for some time.

So, healthcare delivery organizations must seize the initiative to protect their environments from attacks. They must do so by strategically optimizing security practices and prioritizing the true threats among the myriad IoMT device vulnerabilities they have to live with.

Shankar Somasundaram is CEO of Asimily