The medical internet of things (IoT) is no longer a futuristic concept. It is here today, and it includes devices you may have never considered a part of the patient care ecosystem, such as elevators, beds, exit signs and clocks. Between those operational technologies and the devices the U.S. Food and Drug Administration (FDA) has already deemed critical, the healthcare vulnerability landscape continues to expand, with each connected device potentially elevating the risk of an attack.
The Vulnerability Scanning Conundrum
With medical devices becoming connected devices, we have seen vulnerability scanning become commonplace among many hospitals. The main drivers seem to be regulatory mandates, high-profile breaches and the overall concern that one compromise could potentially impact patient health. The challenge, however, is that with hundreds of medical IoT — or internet of medical things (IoMT) — devices connecting to the network, scans can produce an endless pile of vulnerabilities.
Deciding which vulnerabilities should be remediated first can be challenging, and for the hospitals that do prioritize their remediation efforts, basing actions solely on technical risk may not be sufficient. For example, let’s say a device has 10 vulnerabilities. Focusing on the technical risk means security teams only assess what those vulnerabilities can do to the device itself. If one vulnerability could shut down a device, then it may be bumped to the top for remediation. That strategy, however, can omit key contextual information, such as if the device is attached to a patient, what services the device delivers, which other services it talks to and the impact of those services potentially being interrupted.
When hospitals classify vulnerabilities, they should match the vulnerabilities with information about actual workflows, service delivery of the devices and threats that could lead to a compromise. In other words, security teams should consider the potential clinical and organizational impacts.
4 Pillars of Impact to Assess Risk
The global clinical security consulting company AbedGraham created a four-pillar model — the COFR Approach™ — that breaks down impact into four pillars: clinical, organizational, regulatory and financial. They all intersect at some point, but their high-level definitions remain distinct.
Clinical impact is patient impact. For example, if a denial-of-service (DoS) attack shuts down a person’s pacemaker, the impact can be a loss of life. Hospitals typically prioritize clinical impact in almost every other scenario. As such, it should be prioritized in the security realm too.
Organizational impact is related to hospital workflows. If a compromise disrupts a workflow it could cause significant damage. For example, let’s say an IoT management system alerts the hospital’s maintenance crew when a room needs to be cleaned before a new patient moves in. If the system went down, that patient, and any other new patients, could not be moved in, which would affect the intake and discharge rate of the hospital.
Financial impact can include regulatory fines and also losses from reputational damage. If you knew a hospital was breached or, even worse, if a patient’s life-saving device was compromised by an attacker, would you go to that hospital? Breaches can affect the financial solvency of hospitals. They aim for a no-breach reputation because many medical breaches could potentially impact patient health (which intersects with clinical impact).
Regulatory mandates like the Health Insurance Portability and Accountability Act (HIPAA) require that hospitals implement certain technologies, processes and policies for mitigating risk. If they do not comply, they could face fines of millions of dollars.
When hospital security teams determine which vulnerabilities to tackle first, they must pair all four of these impacts with other risk factors, such as if the vulnerability can be exploited by attackers and the importance of the device to the organization. When they correlate the potential impacts with the exploitable vulnerabilities and asset value, they can better understand true risk.
Break Down Security Silos and Unite Teams
Many hospitals today operate in silos. Two core teams, in particular the biomedical engineering team and IT security team, can affect how medical IoT/IoMT vulnerabilities are prioritized for remediation.
The biomedical engineering team is typically responsible for maintaining medical IoT technologies. While some are not security experts, many understand which servers and systems cannot be taken down (to apply a patch, for example) because the clinical and operational impact is too significant.
The IT security team, on the other hand, may spot a critical vulnerability on a medical IoT/IoMT device and seek to patch it as soon as possible. That may entail isolating or pulling servers and services, like the electronic medical records server, out of production. In those cases, if the IT security team does not talk to the biomedical engineering team first, they could potentially disconnect business-critical systems and cause significant operational, clinical and financial impact.
The two teams should unite and maintain a continuous stream of communication to understand and minimize risk. Our IBM Security healthcare specialists have seen the roles merge in some hospitals. The new role, “Biomed Cybersecurity Leader,” is the bridge that understands how to apply the four pillars of impact when determining risk. We expect to see more of that role in the near future.
Minimize Risk by Measuring Impact Across the Organization
As the number of critical medical IoT/IoMT devices continues to expand, attackers have more opportunities to accomplish their goals. To minimize the risk of them succeeding, devices and the vulnerabilities exposing them to potential attacks should be prioritized based on impact across the entire organization and, of course, with patient safety in the center.
To help achieve that objective, silos among IoT technologies and hospital teams should be broken down and impact across the four pillars — clinical, operational, financial and regulatory — should be weighed.
X-Force Red, IBM Security’s team of hackers, offers a vulnerability management service for healthcare organizations that helps our clients prioritize and fix medical IoT/IoMT vulnerabilities based on clinical impact, exploitation and asset value. The team can also serve as the bridge to bring the right organizational teams together, and as a hospital’s advocate when working with IoT device manufacturers.
Associate Partner, X-Force Red
Abby Ross is Associate Partner for X-Force Red, IBM Security's team of veteran hackers. Abby is a seasoned marketing and public relations professional, with ...