Connected devices are making real-time patient monitoring and advanced care possible. But as with every new technology, cybercriminals lurk waiting to take advantage of vulnerabilities. It’s up to IT to secure PHI PII. Here’s how.
In September 2023 CSO Online reported that the riskiest enterprise assets – those that introduce threats to global businesses – fall into a relatively new technology category: Internet of medical things (IoMT) assets.
IoMTs, which are defined by CSO Online as, “connected devices used in medical/healthcare environments” are being attacked in high numbers, according to the publication. The most vulnerable devices, they found, include media writers, infusion pumps and imaging workstations, among other items. Indeed, security vulnerabilities have been discovered in surgical robots, cardiac monitors, insulin pumps, anesthesia machines, defibrillators and hospital monitoring equipment. The Department of Health and Human Services reported this fall that healthcare data breaches are up more than 60% year-over-year. That number is sure to climb as telehealth offerings, which were used by about a quarter of all patients in 2022, become more mainstream.
With people’s lives and personally identifiable information at stake, medical information technology executives must move quickly to secure telehealth-related medical devices and the health and personal information of patients. But it’s not enough for healthcare providers to take on IoMT security alone. Healthcare providers and medical device manufacturers must share the responsibility of ensuring secure patient care. Getting there will take some work.
Going back to basics
The biggest problem today is a lack of end-to-end security for IoMT devices. The devices themselves don’t always have security baked in at the component and software level, and there’s also a lack of security and processes once the devices arrive at care facilities, Sudhakar Kamalanathan, security strategist, at Cognizant says.
“Most people assume that telemedicine devices are self-healing and self-governing, but they’re not,” he explains. “It's a cradle to grave approach that we must take for the security oversight. There must be security prebuilt into the devices from the factory floor, and there has to be security and regulatory practices put into place once you send it out into the world.”
These processes and practices include device access control, data security and key management as well as regularly scheduled and performed maintenance and updates. Device access control becomes a two-part process that originates with manufacturers, which build cryptographic material into the device so it can authenticate and authorize itself and the care facility’s IT department, which puts rules into place around data use – who can access, change and alter the device and its corresponding data.
“For example, nurse practitioners would be limited to just the patient data. They would not have a need for administering the device. They wouldn't be that elevated, privileged user that can actually do things to the device such as reboot it,” Kamalanathan says.
Data security starts at the device level with access control, but moves throughout the entire organization, he says. Healthcare organizations should look carefully at data storage and security, tying it into the overall security plan, which includes key management – installing and managing digital certificates or keys – to make sure only vetted, authorized users have access to device and data.
Enabling safe, secure patient care today – and tomorrow
Unfortunately, there’s a big barrier to all of the above: a lack of device visibility within organizations. Kamalanathan says that most organizations have no way to keep track of these issues because there is such a proliferation of IoT and IoMT devices across the network. “You can’t secure what you don’t know,” he says. “Device visibility is a huge problem.”
Research bears this out. By 2025 there will be more than 55.7 billion connected IoT devices that generate a collective 80B zettabytes of data each year, according to research firm IDC. For example, one healthcare organization, Dayton Children’s Hospital, found that it has about 25,000 IoMT, IoT and other devices, which include x-ray machines, MRI machines and security cameras.
The company was able to identify its devices by working with a partner that provided an assessment, finding each of the devices – many of which were previously unknown to the organization. The passive assessment and discovery process was able to identify every device on the network with an IP address, categorize them and create a device taxonomy. The result: A heat map that identified where security gaps were and how the hospital network could prevent security breaches and data loss.
How generative AI is taking on the bad guys
Knowing what’s out there and how it’s all connected is only part of the solution, though. Today, as threats multiply daily and zero-day threats change in an instant, organizations need another weapon in their arsenal to protect their IoMT and associated data and networks. Recently, generative artificial intelligence (AI) is filling that void helping providers protect their telehealth devices and infrastructure.
Generative AI can be used for a number of different opportunities within IoMT security. After organizations attain a single pane of glass view of not only telemedicine devices but all the systems and hardware that they connect to, generative AI can be used to help make decisions about potential threats and where it will be most important for IT to focus its magnifying glass in the short- and long-term. The technology can also be used to create rules across the network and simplify management.
While it’s still early in the adoption cycle, for both IoMT and generative AI, combined, they have the promise of real change, Kamalanathan says. “It has to be an organic process that has to be adopted slowly,” he says. “We are building use cases and we are prototyping them.”
Visit Cognizant.com to learn more about IoMT security and how generative AI can enable it.