As ransomware attacks continue to escalate, the most common target is Internet of Things devices, and hospitals and other key medical systems are facing the risk of soaring. In 2021 alone, Internet of Things ransomware attacks against healthcare institutions will increase by 123%.
Although most healthcare systems attach great importance to the importance of protecting a large number of medical Internet of Things (IoMT) devices in their facilities, many systems have some misunderstandings, which hinder the ability to achieve best IoMT security protection and best practices. These misconceptions, as well as the harsh realities that healthcare organizations should understand and base on their practices, include:
1) Traditional IT security tools are sufficient.
The healthcare system often makes the mistake of thinking that the security of all devices is the same, and that the protection provided for standard IT devices, such as servers and laptops, can also effectively protect IoMT devices.
For many reasons, traditional IT security cannot reliably protect IoMT devices. First, many traditional security tools use active scanning to detect threats. However, most IoMT devices cannot withstand active scanning and will collapse, which may affect the health of patients. Tools designed to protect traditional equipment are also unlikely to reliably discover and inventory IoMT equipment, or protect unknown equipment. This method also lacks the ability to assess the risks associated with or not connecting IoMT equipment.
A better approach is to adopt a security policy for the current task. Effective security will utilize IoMT specific data, frameworks, and MDS2 manufacturer disclosure statements to understand and mitigate known vulnerabilities. IoMT security also requires a comprehensive understanding of the connection of each device and the surrounding ecosystem. These details are critical to determining whether IoMT device vulnerabilities represent a real threat that needs to be addressed.
2) Adding IoMT special security system exceeded the budget.
IT and security decision makers in healthcare organizations are inherently budget conscious. However, the real possibility of attacking patients' health and the 6-7 digit regulatory penalties caused by security defects strongly support their argument that they cannot afford not to invest in IoMT security.
As in the healthcare industry itself, an ounce of IoMT safety risk prevention is better than a pound of treatment. Implementing effective IoMT security can further control costs by eliminating the large amount of existing expenditure required to identify and repair equipment vulnerabilities
, and greatly improve efficiency by marking the existence and absence of vulnerabilities that constitute actual risks. IoMT security insight can also achieve more efficient equipment procurement, providing greater visibility for the maximization of ROI of a more comprehensive security strategy.
3) Collecting data for IoMT safety purposes increases the risk of HIPAA violations.
Of course, the health care system must give priority to the security of protected health information (PHI) and HIPAA regulations. This not only protects patients, but also avoids fines and reputational damage. In order to achieve continuous compliance, the IT and security teams carefully enforce data sharing restrictions on any information transferred to suppliers or the cloud.
However, it is wrong to assume that collecting data to inform IoMT's safety practices increases the risk of HIPAA violations. IoMT security analysis focuses on network traffic data, excluding PHI data. Security measures can also apply filters to prevent PHI from being transmitted through the cloud. After all, the cloud itself can also comply with HIPAA. The use of a fully localized IoMT infrastructure can effectively prevent external data transmission and risk.
4) IoMT security deployment requires months of effort.
Although the deployment of a new electronic health record system may take an organization a whole year to complete, IoMT specific security implementation is a completely different way forward, and the process is much faster. IoMT security adopts many cloud based security measures, and does not require hardware procurement or lengthy production deployment, which will delay the implementation of other areas. IoMT security systems that rely on edge devices can still be implemented in just a few hours. In general, deploying IoMT specific security is not too cumbersome or lengthy.
Truth: IoMT's unique security is within reach.
If the current trend continues as predicted, ransomware and other attacks against IoMT devices will only become more frequent. For the healthcare system, it is critical to avoid data leakage and huge fines and serious reputation damage to the business itself. Attackers hope that IT decision-makers continue to believe that IoMT is too complex and challenging to protect properly. Fortunately, the cost and difficulty of adopting efficient IoMT specific security measures are not as daunting as the still widespread misconceptions imply.
