The medical internet of things (IoT) is no longer a futuristic concept. It is here today, and it includes devices you may have never considered a part of the patient care ecosystem, such as elevators, beds, exit signs and clocks. Between those operational technologies and the devices the U.S. Food and Drug Administration (FDA) has already deemed critical, the healthcare vulnerability landscape continues to expand, with each connected device potentially elevating the risk of an attack.

The Vulnerability Scanning Conundrum

With medical devices becoming connected devices, we have seen vulnerability scanning become commonplace among many hospitals. The main drivers seem to be regulatory mandates, high-profile breaches and the overall concern that one compromise could potentially impact patient health. The challenge, however, is that with hundreds of medical IoT — or internet of medical things (IoMT) — devices connecting to the network, scans can produce an endless pile of vulnerabilities.

Deciding which vulnerabilities should be remediated first can be challenging, and for the hospitals that do prioritize their remediation efforts, basing actions solely on technical risk may not be sufficient. For example, let’s say a device has 10 vulnerabilities. Focusing on the technical risk means security teams only assess what those vulnerabilities can do to the device itself. If one vulnerability could shut down a device, then it may be bumped to the top for remediation. That strategy, however, can omit key contextual information, such as if the device is attached to a patient, what services the device delivers, which other services it talks to and the impact of those services potentially being interrupted.

When hospitals classify vulnerabilities, they should match the vulnerabilities with information about actual workflows, service delivery of the devices and threats that could lead to a compromise. In other words, security teams should consider the potential clinical and organizational impacts.

4 Pillars of Impact to Assess Risk

The global clinical security consulting company AbedGraham created a four-pillar model — the COFR Approach™ — that breaks down impact into four pillars: clinical, organizational, regulatory and financial. They all intersect at some point, but their high-level definitions remain distinct.

Source: AbedGraham

Clinical Impact

Clinical impact is patient impact. For example, if a denial-of-service (DoS) attack shuts down a person’s pacemaker, the impact can be a loss of life. Hospitals typically prioritize clinical impact in almost every other scenario. As such, it should be prioritized in the security realm too.

Organizational Impact

Organizational impact is related to hospital workflows. If a compromise disrupts a workflow it could cause significant damage. For example, let’s say an IoT management system alerts the hospital’s maintenance crew when a room needs to be cleaned before a new patient moves in. If the system went down, that patient, and any other new patients, could not be moved in, which would affect the intake and discharge rate of the hospital.

Financial Impact

Financial impact can include regulatory fines and also losses from reputational damage. If you knew a hospital was breached or, even worse, if a patient’s life-saving device was compromised by an attacker, would you go to that hospital? Breaches can affect the financial solvency of hospitals. They aim for a no-breach reputation because many medical breaches could potentially impact patient health (which intersects with clinical impact).

Regulatory Impact

Regulatory mandates like the Health Insurance Portability and Accountability Act (HIPAA) require that hospitals implement certain technologies, processes and policies for mitigating risk. If they do not comply, they could face fines of millions of dollars.

When hospital security teams determine which vulnerabilities to tackle first, they must pair all four of these impacts with other risk factors, such as if the vulnerability can be exploited by attackers and the importance of the device to the organization. When they correlate the potential impacts with the exploitable vulnerabilities and asset value, they can better understand true risk.

Break Down Security Silos and Unite Teams

Many hospitals today operate in silos. Two core teams, in particular the biomedical engineering team and IT security team, can affect how medical IoT/IoMT vulnerabilities are prioritized for remediation.

The biomedical engineering team is typically responsible for maintaining medical IoT technologies. While some are not security experts, many understand which servers and systems cannot be taken down (to apply a patch, for example) because the clinical and operational impact is too significant.

The IT security team, on the other hand, may spot a critical vulnerability on a medical IoT/IoMT device and seek to patch it as soon as possible. That may entail isolating or pulling servers and services, like the electronic medical records server, out of production. In those cases, if the IT security team does not talk to the biomedical engineering team first, they could potentially disconnect business-critical systems and cause significant operational, clinical and financial impact.

The two teams should unite and maintain a continuous stream of communication to understand and minimize risk. Our IBM Security healthcare specialists have seen the roles merge in some hospitals. The new role, “Biomed Cybersecurity Leader,” is the bridge that understands how to apply the four pillars of impact when determining risk. We expect to see more of that role in the near future.

Minimize Risk by Measuring Impact Across the Organization

As the number of critical medical IoT/IoMT devices continues to expand, attackers have more opportunities to accomplish their goals. To minimize the risk of them succeeding, devices and the vulnerabilities exposing them to potential attacks should be prioritized based on impact across the entire organization and, of course, with patient safety in the center.

To help achieve that objective, silos among IoT technologies and hospital teams should be broken down and impact across the four pillars — clinical, operational, financial and regulatory — should be weighed.

X-Force Red, IBM Security’s team of hackers, offers a vulnerability management service for healthcare organizations that helps our clients prioritize and fix medical IoT/IoMT vulnerabilities based on clinical impact, exploitation and asset value. The team can also serve as the bridge to bring the right organizational teams together, and as a hospital’s advocate when working with IoT device manufacturers.

More from Endpoint

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …

How to Compromise a Modern-Day Network

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology. In just 2022 alone, X-Force Red found that 90% of all…