It’s 2023 and many IoMT devices are amazingly insecure

It's 2023 and many IoMT devices are amazingly insecure
An infusion pump, recently. Image by Boysloso | Bigstockphoto

ITEM: The Internet of Medical Things (IoMT) is on the rise as more medical devices become connected in hospitals and other healthcare organizations. But many of them are worryingly insecure – especially nurse call systems, infusion pumps and even printers.

So says a new report from Armis, which tracks over 3 billion IoT assets via its security platform. Analyzing data from that platform, Armis says nurse call systems are the riskiest connected medical device, with 39% of them having “critical severity unpatched common vulnerabilities and exposures (CVEs)” and almost half (48%) having unpatched CVEs.

The report also found that 27% of infusion pumps (which rank second on the risk list) have critical-severity unpatched CVEs and 30% having unpatched CVEs.

Medication dispensing systems are third on the list. While only 4% having critical severity unpatched CVEs, most of them (86%) have unpatched CVEs.

Moreover, the report says, 32% run on unsupported Windows versions. In fact, around 19% of connected medical devices overall are running unsupported OS versions.

The security issues aren’t limited to medical devices. IP cameras in clinical environments are a big risk, with over half of them having critical severity unpatched CVEs.

Meanwhile, printers are also risky (37% with unpatched CVEs, 30% with critical severity unpatched CVEs. VoIP devices rank third on the non-medical IoT risk list – over half have unpatched CVEs, although only 2% qualify for critical-severity status.

7 million IoMT devices by 2026

This is a big deal given the rise of ‘smart hospitals’ as the healthcare sector embraces digital technology, connected devices, 5G, edge computing and AI to improve patient care, staff productivity, and operational efficiency.

Last year, Juniper Research projected that smart hospitals will deploy over 7 million connected IoMT devices globally by 2026, driven mainly by China and the US (in that order). That works out to over 3,850 devices per hospital, and it’s double the amount of IoMT devices deployed in 2021. Apart from the devices listed above, the IoMT pantheon includes things like remote sensors, wearables and surgical robotics.

It’s worth noting that Armis is in the business of securing IoMT devices, so feel free take its report with however many grains you require. However, IoT device security has notoriously been a problem ever since the dawn of IoT, and smart hospital networks are, at the end of the day, just another IoT network from a hacker POV.

We also know the healthcare sector is a prime target for bad actors, especially when it comes to stealing medical records (just ask Singapore). Many IoMT devices automatically send patient data into those records, which makes them potential entry points to access those records. A 2022 report from SonicWall found that the healthcare industry saw a 755% increase in ransomware attacks alone in 2021 (when COVID-19 was in full swing).

While IoT devices have a long history of bad (or non-existent) security design, one would think IoMT device makers would put more effort into it, given the mission-critical status of healthcare. But experts have been talking about the insecurity of IoMT devices for several years now – in this sense, the only thing new about the Armis report is the list of specific devices.

Secure everything else, please

Part of the problem is that IoT security by design takes money and expertise, and manufacturers also have to balance security against ease of use.

There’s also been a lack of standards and best practices until recently. The International Medical Device Regulators Forum published a set of principles and practices in 2020 for IoMT vendors on things like vulnerability remediation, and incident response. But it’s up to vendors to adopt them, and it takes time for those devices to make it to the market.

It’s also worth remembering that at least some of the vulnerable devices detected in the Armis report could well have been installed before 2020.

In any case, even if the number of unsecured IoMT devices is low, hackers only need one insecure device to exploit. And again, it could be a non-medical device like a printer.

This is why healthcare providers need to at least beef up their security for everything behind the devices and have robust security protocols in place. A recent blog post from ISACA offers recommendations, including:

  • Applying appropriate technical and organizational measures (TOM) to implement the data protection principles
  • Implementing an effective authentication mechanism
  • Implementing security protocols and privacy solutions for tracking, monitoring and analytics
  • Maintaining an inventory of the IoT devices and related assets
  • Providing network segmentation and protecting each of the subnets at its level
  • Real-time monitoring and detecting
  • Encrypting data based on their criticality level.

Meanwhile, all of this should be viewed in the larger context of IoT security in general. For more on that, here’s a comprehensive report from The Atlantic Council that looks the regulatory approaches taken by the US, the UK, Australia, and Singapore to address the problem.

Related article: XIoT vulnerability disclosures are rising – and that’s good

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.