The medical internet of things (IoT) is no longer a futuristic concept. It is here today, and it includes devices you may have never considered a part of the patient care ecosystem, such as elevators, beds, exit signs and clocks. Between those operational technologies and the devices the U.S. Food and Drug Administration (FDA) has already deemed critical, the healthcare vulnerability landscape continues to expand, with each connected device potentially elevating the risk of an attack.

The Vulnerability Scanning Conundrum

With medical devices becoming connected devices, we have seen vulnerability scanning become commonplace among many hospitals. The main drivers seem to be regulatory mandates, high-profile breaches and the overall concern that one compromise could potentially impact patient health. The challenge, however, is that with hundreds of medical IoT — or internet of medical things (IoMT) — devices connecting to the network, scans can produce an endless pile of vulnerabilities.

Deciding which vulnerabilities should be remediated first can be challenging, and for the hospitals that do prioritize their remediation efforts, basing actions solely on technical risk may not be sufficient. For example, let’s say a device has 10 vulnerabilities. Focusing on the technical risk means security teams only assess what those vulnerabilities can do to the device itself. If one vulnerability could shut down a device, then it may be bumped to the top for remediation. That strategy, however, can omit key contextual information, such as if the device is attached to a patient, what services the device delivers, which other services it talks to and the impact of those services potentially being interrupted.

When hospitals classify vulnerabilities, they should match the vulnerabilities with information about actual workflows, service delivery of the devices and threats that could lead to a compromise. In other words, security teams should consider the potential clinical and organizational impacts.

4 Pillars of Impact to Assess Risk

The global clinical security consulting company AbedGraham created a four-pillar model — the COFR Approach™ — that breaks down impact into four pillars: clinical, organizational, regulatory and financial. They all intersect at some point, but their high-level definitions remain distinct.

Source: AbedGraham

Clinical Impact

Clinical impact is patient impact. For example, if a denial-of-service (DoS) attack shuts down a person’s pacemaker, the impact can be a loss of life. Hospitals typically prioritize clinical impact in almost every other scenario. As such, it should be prioritized in the security realm too.

Organizational Impact

Organizational impact is related to hospital workflows. If a compromise disrupts a workflow it could cause significant damage. For example, let’s say an IoT management system alerts the hospital’s maintenance crew when a room needs to be cleaned before a new patient moves in. If the system went down, that patient, and any other new patients, could not be moved in, which would affect the intake and discharge rate of the hospital.

Financial Impact

Financial impact can include regulatory fines and also losses from reputational damage. If you knew a hospital was breached or, even worse, if a patient’s life-saving device was compromised by an attacker, would you go to that hospital? Breaches can affect the financial solvency of hospitals. They aim for a no-breach reputation because many medical breaches could potentially impact patient health (which intersects with clinical impact).

Regulatory Impact

Regulatory mandates like the Health Insurance Portability and Accountability Act (HIPAA) require that hospitals implement certain technologies, processes and policies for mitigating risk. If they do not comply, they could face fines of millions of dollars.

When hospital security teams determine which vulnerabilities to tackle first, they must pair all four of these impacts with other risk factors, such as if the vulnerability can be exploited by attackers and the importance of the device to the organization. When they correlate the potential impacts with the exploitable vulnerabilities and asset value, they can better understand true risk.

Break Down Security Silos and Unite Teams

Many hospitals today operate in silos. Two core teams, in particular the biomedical engineering team and IT security team, can affect how medical IoT/IoMT vulnerabilities are prioritized for remediation.

The biomedical engineering team is typically responsible for maintaining medical IoT technologies. While some are not security experts, many understand which servers and systems cannot be taken down (to apply a patch, for example) because the clinical and operational impact is too significant.

The IT security team, on the other hand, may spot a critical vulnerability on a medical IoT/IoMT device and seek to patch it as soon as possible. That may entail isolating or pulling servers and services, like the electronic medical records server, out of production. In those cases, if the IT security team does not talk to the biomedical engineering team first, they could potentially disconnect business-critical systems and cause significant operational, clinical and financial impact.

The two teams should unite and maintain a continuous stream of communication to understand and minimize risk. Our IBM Security healthcare specialists have seen the roles merge in some hospitals. The new role, “Biomed Cybersecurity Leader,” is the bridge that understands how to apply the four pillars of impact when determining risk. We expect to see more of that role in the near future.

Minimize Risk by Measuring Impact Across the Organization

As the number of critical medical IoT/IoMT devices continues to expand, attackers have more opportunities to accomplish their goals. To minimize the risk of them succeeding, devices and the vulnerabilities exposing them to potential attacks should be prioritized based on impact across the entire organization and, of course, with patient safety in the center.

To help achieve that objective, silos among IoT technologies and hospital teams should be broken down and impact across the four pillars — clinical, operational, financial and regulatory — should be weighed.

X-Force Red, IBM Security’s team of hackers, offers a vulnerability management service for healthcare organizations that helps our clients prioritize and fix medical IoT/IoMT vulnerabilities based on clinical impact, exploitation and asset value. The team can also serve as the bridge to bring the right organizational teams together, and as a hospital’s advocate when working with IoT device manufacturers.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…