By Anand Oswal, Senior Vice President and GM at cyber security leader Palo Alto Networks\n\nConnected medical devices, also known as the Internet of Medical Things or IoMT, are revolutionizing healthcare, not only from an operational standpoint but related to patient care. In hospital and healthcare settings around the world, connected medical devices support critical patient care delivery and a wide variety of clinical functions, from medical infusion pumps and surgical robots to vital sign monitors, ambulance equipment, and so much more. At the end of the day, it\u2019s all about patient outcomes and how to improve the delivery of care, so this kind of IoT adoption in healthcare brings opportunities that can be life-changing, as well as simply being operationally sound.\n\nYet, enabling these amazing patient outcomes through IoT technology brings with it an associated set of security risks to hospitals and patients that are in the news far too often. Ransomware, for example, is a particularly prevalent threat to healthcare providers around the world. In August 2022, the French hospital Centre Hospitalier Sud Francilien (CHSF) was the victim of a ransomware attack that disabled medical imaging and patient admission systems. And in October 2022, CISA issued an advisory to healthcare providers warning of a ransomware and data extortion group targeting the healthcare and public health sector with a particular interest in accessing database, imaging, and diagnostics systems within networks. But ransomware isn\u2019t the only risk. In fact, according to a report in HIPAA Journal, there has been a 60% increase in cyberattacks of all varieties in healthcare in 2022,1 making it an unfortunately routine aspect of delivering care that the industry must be prepared to address.\n\nWhy Medical IoT Devices Are at Risk\n\nThere are a number of reasons why medical IoT devices are at risk. Among the most common reasons is the fact that many of these devices are not designed with security in mind.\n\nMany connected devices ship with inherent vulnerabilities. For example, according to research from Unit 42, 75% of infusion pumps have unpatched vulnerabilities.2 Over half (51%) of all X-Ray machines had a high severity CVE (CVE-2019-11687), with around 20% running an unsupported version of Windows.3\n\nUnit 42 research also found that 83% of ultrasound, MRI, and CT scanners run on an end-of-life operating system.4 Those operating systems have known vulnerabilities that can potentially be exploited. Attackers are known to target vulnerable devices and then move laterally across the organization\u2019s network to infect and damage the rest of a hospital network.\n\nThe impact of medical IoT device vulnerabilities is serious and potentially life-threatening. It\u2019s not always easy and sometimes not even possible to update or patch some of these devices, either because doing so requires operational disruption of care delivery or due to a lack of computing capability of many types of devices. As a result, we\u2019ve seen patient data exposed. We\u2019ve seen hospital operations halted. While the attack potential is widespread, healthcare providers can take proactive steps to help minimize the vast majority of device-related security risks.\n\nFour Necessary Steps to Improve Medical IoT Security\n\nAmong the challenges that medical facilities and health providers face is actually being aware of all the connected devices that are present. Visibility, however, isn\u2019t the only thing that is needed to improve medical device security. In fact, there are four steps that can be taken to secure devices and reduce risk:\n\nBetter IoT Security Helps Ease Regulatory Compliance Challenges\n\nUnderstandably, there are a lot of compliance requirements in healthcare. Healthcare compliance covers numerous areas like patient care, managed care contracting, Occupational Safety and Health Administration (OSHA), and Health Insurance Portability and Accountability Act (HIPAA) privacy and security, to name a few. Any attack that involves a patient system or medical IoT device is most likely a compliance breach, resulting in the loss of sensitive data or access to sensitive data from unauthorized entities. Limited IoMT visibility and risk assessment make it difficult to meet regulatory, audit, and HIPAA requirements. Having complete visibility into all devices and their utilization data reduces the burden of preparing for compliance audits and compiling compliance reports.\n\nImplementing Zero Trust for Medical IoT\n\nHumans place their trust in medical professionals to improve and sustain human health. Medical facilities rely on their technology to do the same. But trust should not be granted by default. It needs to be continuously monitored and validated. That\u2019s where a Zero Trust approach comes into play.\n\nZero Trust, in very straightforward terms, is a cybersecurity strategy that seeks to eliminate implicit trust for any user, application, or device accessing an organization\u2019s network. Zero Trust is not a product. For many customers, Zero Trust is a journey. For medical IoT security, Zero Trust starts from understanding several key things:\n\nOn a continuous basis, Zero Trust means monitoring devices and their behavior for threats, malware, and policy violations to help reduce the risk by validating every interaction.\n\nTake the Zero Trust Path of Least Resistance to Improve Healthcare IoT\n\nHealthcare IT and security teams are overburdened, so security implementation shouldn\u2019t be onerous. Improving security for medical IoT devices shouldn\u2019t require a forklift upgrade of hospital networks either.\n\nMost healthcare providers already have network firewalls that act as enforcement points for Zero Trust device security. When you want to enable visibility, risk assessment, segmentation, least privilege policies, and threat prevention on the journey toward Zero Trust, it should be done with as little friction as possible. Machine learning (ML) can also dramatically accelerate policy configuration, which can be automated. If security becomes another big project that requires significant human effort, it has less chance of being successful. Security needs to be integrated, easy to deploy, and as automated as possible.\n\nMedical IoT devices help to improve human healthcare every day. Just like humans need to do the right things to stay healthy, it\u2019s essential for medical IoT devices to remain healthy too. Lives literally depend on it.\n\nRecommended Reading\n\n 1. \u201cHealthcare Seeks 60% YoY Increase in Cyberattacks,\u201d HIPAA Journal, November 17, 2022,\n\n2. Aveek Das, \u201cKnow Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization,\u201d Unit 42, March 2, 2022,\n\n3. Jun Du, Derick Liang, Aveek Das, \u201cWindows XP, Server 2003 Source Code Leak Leaves IoT, OT Devices Vulnerable,\u201d Unit 42, November 6, 2020,\n\n4. Ibid.