iot health

IoT Evolution Health News

IoT Evolution Health Home

Securing Medical Devices in the Age of the Internet of Medical Things

By Special Guest
Wes Wright, CTO at Imprivata
December 13, 2018

Healthcare is rapidly moving to a completely digitized environment, and, as a result, devices have been introduced to the hospital ecosystem and bedside workflows to help extend and streamline care throughout the hospital. Within this Internet of Medical Things (IoMT), robust tools like smart medical devices have allowed clinicians to become more efficient and mobile with patient care. Unfortunately, this new technology has also opened the door to increased risk and new potential points of exposure for healthcare IT infrastructures.

With the number of IoT devices expected to reach 20.4 billion by 2020, healthcare IT can no longer afford to manage our medical devices the way we do now. And, we'd be foolish to think there's one tool out there that well help us manage. It's a puzzle that we have to find the pieces to complete. That puzzle will look different at almost every healthcare provider location, but should contain pieces that address four areas:

  1. First, you have to discover the devices. After you find the devices connected to your network, of course you'll want to manage them. Many new discovery products have been introduced to the market over the last year, and most of these products will let you group devices based on traffic, while more sophisticated ones will build the groups for you automatically, and the most sophisticated will enforce the groupings automatically.
  1. Once you find the devices, lock down as many as you can with strong authentication. Far too often, in an attempt to reduce the burden of manual authentication and to focus more time at the bedside, clinicians find less than secure ways to access the tools that they need for patient care, ultimately opening your organization up to even more risk. A two-factor medical device access solution combines security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.
  1. Ultimately, there will be some devices you can't lock down or some that you’ll want to lock down harder than others. Use host-based IP tools to "disappear" these devices. Sounds ominous, I know, but in this case it’s good. Put a HIP switch (another cool name) in your IT closet, then plug the device into the mini HIP switch, which then plugs into the RJ45 jack on your wall, and you just "disappeared" that piece of medical equipment. The only people that can find it are people you tell about it. Obviously, since this piece of the puzzle has a hardware component, it has the highest "cost" (physical and monetary). Otherwise we'd just do it for our entire enterprise.
  1. A final piece of the puzzle—the piece you'd normally find on the floor under the couch—is to deal with how medical devices talk. The majority of medical devices talk to only one server. Most infusion pumps talk to a single infusion pump server in the data center, it talks back to them and will generally talk to the medical record installed in the facility. This is how you can automatically build the groups with the sophisticated discovery tools mentioned above. They listen for these traffic patterns and tell you how to organize your groups based on those patterns. So, you can see the medical equipment talking to that single server, but so can the "bad guy" (if you didn't "disappear" them of course). If you're the bad guy and you see everything talking to a single point, that's the point you're going to attack, if you're a bad guy worth anything.

Within the last few years, products have come on the market that will, currently Linux only, scramble the "known code", so that when the bad guy tries to exploit that known vulnerability in that known code location, it's not there, and never will be. Theoretically, that would actually mean you'd never ever have to worry about patching that single server, at least not for security reasons (some patching is for performance reasons--you'll want to continue those). Again... think of the resources you can save there.  

Now, you've completed the IoMT puzzle. Find the devices. Group and manage the devices. Lock down the devices you can. Disappear your important, or super vulnerable devices. Scramble the code on the servers that talk to your devices. Gosh, it's so much easier to write this down than to actually do, but for the sake of your patients and their families, we (HIT) have to get this puzzle solved.

About the author: Wes Wright is the Chief Technology Officer at Imprivata. He brings more than 20 years of experience with healthcare providers, IT leadership, and security. Prior to joining Imprivata, he was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. He has been the CIO at Seattle Children’s Hospital and has served as the Chief of Staff for a three-star general in the US Air Force.

Edited by Ken Briodagh
Related Articles

IoT Time Podcast S.5 Ep.34 AVSystem

By: Ken Briodagh    9/18/2020

In this episode of IoT Time Podcast, sponsored by AV System, Ken Briodagh sits down with William Yan, President, Americas, AVSystem, to talk about COV…

Read More

Advancing Plant-Based Pharma like Cannabis with Sensors and IoT Platform

By: Arti Loftus    9/11/2020

Plant-based biologics is seen by many experts in the bio-pharmaceutical industry to be the next major commercial development in the field of biotechno…

Read More

IoT Time Podcast S.5 Ep.33 PointCentral

By: Ken Briodagh    9/10/2020

In this episode of IoT Time Podcast, Ken Briodagh sits down with Sean Miller of PointCentral, to talk about how smart rentals are transforming the pro…

Read More

Nokia Aggregation Router now FirstNet Ready

By: Ken Briodagh    9/4/2020

The Nokia 7705 SAR-Hmc wireless service aggregation router is now certified and approved for use on FirstNet, the high-speed broadband communications …

Read More

Building Robust Growth Structure for IoT Cloud Platform Market

By: Special Guest    9/1/2020

The pandemic has led to changing dynamics across various work operations and technology has played an important role in bringing this change. The IoT …

Read More