Special thanks to Matthew Modica, Vice President and Chief Information Security Officer, BJC HealthCare, for his collaboration and contribution to this post.

The Internet of Medical Things (IoMT) represents one of the most significant opportunities in healthcare, with global market value expected to hit US$142 billion by 2026. But with opportunity comes risk. According to a Bitglass research study, healthcare breaches increased 55 percent from 2019 to 2020, affecting more than 26 million people in the US alone. This has continued into 2021, with the volume of all-industry cyber intrusion increasing 125% in the first half of 2021 globally, compared with the same period last year. In fact, there are indications that healthcare is the number one target for cybercriminals.

The time is now for healthcare organizations and regulators to focus on IoMT cybersecurity, because these devices provide direct line-of-sight to the patient.

The importance of IoMT in healthcare

IoMT is used for critical medical tasks such as monitoring patient vital signs, controlling blood flow and distributing pharmaceuticals. Unlike traditional Information Technology (IT) or Operational Technology (OT), which may easily be patched and rebooted, IoMT requires a different remediation process with extra precautions. Taking these devices offline, even for a short period of time, could significantly impact patient safety—and cybercriminals are very aware of the unique role of IoMT devices. That's why they are actively seeking new and creative ways to monetize attacks and disruptions, likely via ransomware.

During the pandemic, there were multiple waves of attacks against healthcare organizations thanks to the increased attack surface created by the push for remote services. According to a Comparitech report, ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, twice as much as the year before. The report also found that 92 individual ransomware attacks occurred at healthcare organizations, affecting 600 clinics, hospitals and other organizations, with 18 million patient records impacted— a 470% increase from 2019.

This can be devasting to companies but ultimately, it's us—the patients—who become the targets.

Make sure cybersecurity enables the business

The root causes of these difficulties are usually a lack of accountability and lack of understanding by management of who is responsible for devices that fall under the purview of biomedical engineering and clinical environments. These departments often have little to no IT governance compared to enterprise-wide IT systems.

Lack of oversight can leave organizations overwhelmed and without an accurate picture of device inventory. This in turn can result in outdated software and exposure to vulnerabilities—a prime opportunity for cybercriminals. Additionally, healthcare organizations can experience skill shortages or minimal IoMT understanding, resulting in insecure network architectures that lack segmentation and security controls.

A better alternative: security as an enabler

Security needs to be “baked in.” That is, it should be part of a healthcare organization’s technology ecosystem, positioned to enable business success by fostering technology adoption. This point is driven home by the Palo Alto Networks global threat intelligence team, which reports that 83% of connected medical imaging devices currently run unsupported operating systems, with 51% of potential threats and vulnerabilities involving these devices. Additionally, 72% of healthcare's virtual local area networks (VLANs) mix IoMT with traditional IT assets, facilitating the spread of malware. With such prevalent vulnerabilities in devices critical to patient wellbeing, it is vital that security be implemented at every stage of the system development lifecycle.

Another perspective

For more on IoMT in healthcare, we spoke with Matt Modica, CISO of BJC Healthcare. His thoughts are below.

IoMT device security is a critical component CISOs must consider in their cybersecurity strategy and risk management framework for three main reasons. First, the proliferation of network connected devices and the sheer amount of data these devices collect makes them a critical asset—which means they're a target for bad actors. Second, many medical device manufacturers are just now beginning their journey into secure code development / secure configurations. Until they mature these capabilities, there is potential for a variety of cyber threats being exploited (i.e. unresolved vulnerabilities, unsupported software and unknown baseline behavior). Third, while larger healthcare providers typically have the financial and operational resources to support lifecycle management and rotate to these newer devices with enhanced security capabilities, many providers must support aging network devices that perpetuate cybersecurity risks.

For these reasons, Modica said, medical/IoT device security has the potential to lead to operational disruption and patient safety events.

Four ways to reduce risks

  • It begins during procurement. This is the time to enforce security requirements. Similar to theme parks that enforce certain heights to ride attractions, provider cybersecurity teams need to enforce a minimum-security level before a device is allowed to connect to the network.
  • Second, evaluate and define secure configurations for all network-connected devices leveraging everything the manufacturer provides to enforce security best practices.
  • Third, keep in mind that visibility, monitoring and prevention are key. As with any critical asset, it is vital to understand baseline behavior of a device so that the team can quickly identify and remediate anomalous behavior – preferably via automation.
  • Finally, all healthcare providers should leverage strong, influential partner relationships with the manufacturers of these devices to define product roadmaps and insist on strong cybersecurity capabilities out of the box.

When we do these things, Modica said, we will protect ourselves, our patients, our caregivers and our critical infrastructure.

More on protecting patients and IoMT security investments

Below are a few areas to consider:

  • Risk assessments & IT governance – Rigorous governance, risk and compliance (GRC) separate from enterprise IT for biomedical engineering and clinical environments is key. This will drive understanding of immediate risks and encourage the establishment of up-to-date asset management tracking, baseline security controls and vulnerability remediation.
  • “Zoning” – An often-overlooked area is separating IoMT devices from enterprise IT environments. Without these controls in place, attackers could potentially gain access to connected assets (e.g., infusion pumps, nurses’ stations and pacemakers) through weak links in corporate IT infrastructure such as unsecured wireless access. Securing operations should also include IoMT network traffic monitoring for potential events and incidents due to malfunctions and other adverse conditions.
  • Strategic partners and ecosystems – There is no “silver bullet, “but being part of the broader ecosystem and working with strategic alliances result in a stronger, more cyber-resilient IoMT stance. Having a trusted partner can help healthcare organizations navigate the landscape to develop their appropriate strategy and solution.

Using measures like the above will vastly improve the security and reliability prognosis for healthcare organizations, with the key takeaway that robust IoMT cybersecurity paves the way for improved patient care and a healthier bottom line.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit www.accenture.com/security.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

Salwa Rafee

Global Managing Director – Healthcare Security, Accenture

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog