Securing Medical Devices in the Age of the Internet of Medical Things

Healthcare is rapidly moving to a completely digitized environment, and, as a result, devices have been introduced to the hospital ecosystem and bedside workflows to help extend and streamline care throughout the hospital. Within this Internet of Medical Things (IoMT), robust tools like smart medical devices have allowed clinicians to become more efficient and mobile with patient care. Unfortunately, this new technology has also opened the door to increased risk and new potential points of exposure for healthcare IT infrastructures.

With the number of IoT devices expected to reach 20.4 billion by 2020, healthcare IT can no longer afford to manage our medical devices the way we do now. And, we'd be foolish to think there's one tool out there that well help us manage. It's a puzzle that we have to find the pieces to complete. That puzzle will look different at almost every healthcare provider location, but should contain pieces that address four areas:

1. First, you have to discover the devices. After you find the devices connected to your network, of course you'll want to manage them. Many new discovery products have been introduced to the market over the last year, and most of these products will let you group devices based on traffic, while more sophisticated ones will build the groups for you automatically, and the most sophisticated will enforce the groupings automatically.

1. Once you find the devices, lock down as many as you can with strong authentication. Far too often, in an attempt to reduce the burden of manual authentication and to focus more time at the bedside, clinicians find less than secure ways to access the tools that they need for patient care, ultimately opening your organization up to even more risk. A two-factor medical device access solution combines security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

1. Ultimately, there will be some devices you can't lock down or some that you’ll want to lock down harder than others. Use host-based IP tools to "disappear" these devices. Sounds ominous, I know, but in this case it’s good. Put a HIP switch (another cool name) in your IT closet, then plug the device into the mini HIP switch, which then plugs into the RJ45 jack on your wall, and you just "disappeared" that piece of medical equipment. The only people that can find it are people you tell about it. Obviously, since this piece of the puzzle has a hardware component, it has the highest "cost" (physical and monetary). Otherwise we'd just do it for our entire enterprise.

1. A final piece of the puzzle—the piece you'd normally find on the floor under the couch—is to deal with how medical devices talk. The majority of medical devices talk to only one server. Most infusion pumps talk to a single infusion pump server in the data center, it talks back to them and will generally talk to the medical record installed in the facility. This is how you can automatically build the groups with the sophisticated discovery tools mentioned above. They listen for these traffic patterns and tell you how to organize your groups based on those patterns. So, you can see the medical equipment talking to that single server, but so can the "bad guy" (if you didn't "disappear" them of course). If you're the bad guy and you see everything talking to a single point, that's the point you're going to attack, if you're a bad guy worth anything.

Within the last few years, products have come on the market that will, currently Linux only, scramble the "known code", so that when the bad guy tries to exploit that known vulnerability in that known code location, it's not there, and never will be. Theoretically, that would actually mean you'd never ever have to worry about patching that single server, at least not for security reasons (some patching is for performance reasons--you'll want to continue those). Again... think of the resources you can save there.  

Now, you've completed the IoMT puzzle. Find the devices. Group and manage the devices. Lock down the devices you can. Disappear your important, or super vulnerable devices. Scramble the code on the servers that talk to your devices. Gosh, it's so much easier to write this down than to actually do, but for the sake of your patients and their families, we (HIT) have to get this puzzle solved.

About the author: Wes Wright is the Chief Technology Officer at Imprivata. He brings more than 20 years of experience with healthcare providers, IT leadership, and security. Prior to joining Imprivata, he was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. He has been the CIO at Seattle Children’s Hospital and has served as the Chief of Staff for a three-star general in the US Air Force.