Aaron Weismann, Chief Information Security Officer, Main Line Health
CIOCybersecurityHealthcareIoTSecurity

Cover Your Assets: The Difficulties of Securing IoT

cxomagazine

By Aaron Weismann, Chief Information Security Officer, Main Line Health

Securing the biomedical Internet of Things (IoT) in healthcare is both daunting and essential for the support of modern patient care. Healthcare practices increasingly rely on a vast array of connected devices, even going so far as to extend the care environment into patients’ homes. Protecting this digital ecosystem from cyber threats is a challenge. Biomedical IoT, which ranges from telemetry packs to infusion pumps to MRIs, is not only pivotal for patient treatment but also for the collection and analysis of patient data. That data, in turn, enhances the decision-making capabilities of healthcare professionals and enables modern medicine.

The integration of network connectivity and computing capabilities into biomedical devices has transformed patient care. It enables real-time monitoring and direct integration of patient telemetry into electronic medical records. This connectivity facilitates a more holistic view of patient health and allows for timely and data-driven clinical decisions.

That being said, the benefits of biomedical IoT come with significant cybersecurity challenges. Biomedical devices are designed for longevity and reliability, undergoing rigorous testing to ensure they meet standards primarily set by the Food and Drug Administration (FDA). Often spanning years, this process is critical for ensuring patient safety and device efficacy. It’s also performed every time a material modification to the device occurs.

What makes biomedical IoT security—and IoT security more broadly—unique is the inability to rely on device-based security and the importance of enhancing device-based identity telemetry and authentication.

The slow pace of regulatory approval is at odds with the rapidly evolving landscape of cyber threats. The nature of cyber threats is dynamic, with cybercriminals continuously developing new methods to exploit vulnerabilities in computer systems. This relentless evolution of cyber threats makes it difficult for the static security measures of biomedical IoT devices to remain effective. The regulatory infrastructure, while vital for ensuring the safety and reliability of these devices, inadvertently contributes to their vulnerability by inhibiting rapid updates and adaptations to emerging cyber threats. It leaves devices vulnerable to attacks and ironically compromises their ability to operate effectively.

Securing IoT devices is not a unique challenge for healthcare. Manufacturing, logistics, retail and others also rely on IoT technology for operational efficiency. Many businesses have had IoT deployed for years in the form of multifunction devices and internet-connected environmental systems. What is unique are those regulatory pressures that compound the difficulty of addressing biomedical IoT cybersecurity. In healthcare, the stakes are particularly high due to the potential for compromised devices to impact patient care directly.

Addressing the cybersecurity challenges of biomedical IoT, like most other parts of an organization’s infrastructure, requires adopting a multifaceted and comprehensive approach around the device. What goes beyond traditional device security is recognizing that it may not always be feasible to secure each device individually, especially in the face of sophisticated cyber threats. Consequently, the focus for IoT shifts to securing the broader ecosystem of which these devices are a part.

A tried-and-true strategy for device security on a network is network segmentation, which involves separating networked devices into distinct segments to control and monitor traffic between them. This can prevent an attacker who gains access to one device from easily moving laterally to compromise other segments of the network. Microsegmentation takes traditional segmentation a step further by applying more granular security policies at the device level, offering even control over device interactions and data flow.

Comprehensive visibility into device behavior and communication patterns is essential for effective segmentation. This visibility enables the identification and classification of devices, which facilitates the application of appropriate security policies.

Segmentation granularity is inexorably tied to visibility granularity. One of the issues we ran into when developing a segmentation and micro-segmentation plan was the initial difficulty in accurately identifying devices. Biomedical devices, as mentioned above, are designed for longevity and biomedical device support teams are experts in extending that longevity. The engineering feats they perform to keep devices on the floor are nothing short of miraculous. That also means that an infusion pump can occasionally show up on the network as an electrocardiogram and vice versa. That is almost unheard of for the average desktop, laptop, or server.

It’s crucial to identify devices with those variances. Visibility must include error checking and evaluating multiple points of identity to successfully authenticate a specific type of device. Truly anomalous devices, which can be legitimate or indicate potential compromise, must be identified and authorized manually.

The benefits of that level of visibility and authorization are manifold. A high degree of confidence in device identity where all devices share the same posture effectively allows for device provisioning and posturing automation on a network. It’s effectively Attribute-Based Access Control (ABAC) for devices through the automatic application of rules and barriers to devices entering a network. The benefits of increased granularity are especially apparent with anomalous devices, which can be automatically provisioned into a functional quarantine area. Automating those functions reduces potential human error and frees up staff for more sophisticated work.

Technical measures cannot exist in a vacuum. Educating staff about cybersecurity risks and best practices is critical. Human error remains a significant vulnerability in cybersecurity and empowering healthcare professionals with the knowledge to recognize and avoid potential threats can greatly enhance the overall security posture of healthcare organizations. While a biomedical IoT device can be an effective perch for lateral movement, most cyberattacks happen because of human intervention, with phishing and social engineering attacks sitting at the top of the list for 2023/2024.

The strategy I’ve shared for securing biomedical IoT isn’t unique to those devices. Understanding what you have on your network, preventing unwanted communications, and keeping staff educated is the crux of network security. What makes biomedical IoT security—and IoT security more broadly—unique is the inability to rely on device-based security and the importance of enhancing device-based identity telemetry and authentication. Where trust for an endpoint is built based on what endpoint security measures you have on that device, trust for an IoT device must be put in how you shield the environment at large from that device.