The Internet of Medical Things needs a new security model to fulfil its potential

The Internet of Medical Things (IoMT) is set to radically change the quality of care and outcomes for millions of patients, while also increasing efficiency for clinicians and the organisations employing them. Analysts at Fortune Insights estimate the value of the global market will grow at a compound annual rate of more than 38% up to 2032, by which time it will be worth US$814bn.

Definitions of IoMT can include everything from connected patient monitoring, diagnosis and testing devices in smart hospitals, to equipment in people’s homes and commercially-manufactured wearables transmitting tracking data.

Yet while bullish about growth, the analysts also caution that wider implementation may be limited by the vulnerability of these devices and their networks to cyber attack. The health sector is certainly heavily targeted by cyber criminals, as reflected in a recent report from IBM, which reveals that healthcare was the sixth most frequently attacked sector in its review of cyber security in 2023.

Across all sectors, the report says there was a surge in the targeting of identities by cyber criminals, with attacks using valid credentials up by 71%. Identification and authentication failures also emerged as the second most common finding from IBM X-Force penetration testing data.

Continuous authentication required

In the IoMT, as in all IoT networks, each device must continually authenticate itself and be authorised to ensure its software is not controlled or disrupted by cyber criminals who have stolen its machine identity. As the market matures this will be thousands of devices for a single medical or healthcare institution, each of which it must secure and authenticate continuously. And herein lies the difficulty. The scale and complexity are too great for conventional securitiy approaches.

With so many devices in use, a new model of automation and integrated trust is required. Device identities have become fundamental – and as the threat landscape changes, healthcare organisations, medical manufacturers and suppliers need more innovative approaches to achieve maximum protection possible.

Criminals can breach the security of any poorly protected device and use it to disrupt a network or steal data. The problem is that IoMT networks are likely to be beyond the capabilities of secure chipsets, traditional healthcare organisation security or standard cloud or network security controls. If IoMT networks lack continual authentication and authorisation, they become vulnerable to credential theft and severe system breaches.

In the medical sector tough regulatory standards imposed by the FDA, and EU are already in force, which is good news. A device manufacturer must meet compliance obligations for the device and data. This includes HIPAA, GDPR and FDA regulation SEC. 524B which mandates the provision of the SBOM (software bill of materials) for new products. Manufacturers need to be secure-by-design, establishing a root-of-trust for each device through dynamic key generation in line with certification requirements, covering provisioning, rotation and final revocation.

Automation and a more holistic approach

IoMT security is not, however solely the responsibility of the manufacturer. Health organisations implementing IoMT networks need a holistic approach to security that includes zero trust architectures, using robust public key infrastructure (PKI).

Healthcare and pharmaceutical organisations must also address the significant challenge of securing devices that are already in use and networked, but which rely on outdated security technology. Their technology may no longer be capable of matching evolving threats. These “brownfield” devices present significant areas of vulnerability if neglected and must be retrofitted with zero trust technology.

This implementation of zero trust at scale is necessary to manage device registration and IAM (identity access management) provisioning. This approach also integrates policy-driven data encryption and continuous, automated monitoring, exploiting artificial intelligence to detect anomalies and respond swiftly to potential security breaches. Devices need continual authentication of their machine identities based on certifications and cryptographic keys.

Such tasks demand automation. It is now possible to deploy advanced solutions that streamline device security, providing assurance and compliance across networks of thousands of devices.

Organisations can deploy automated identity lifecycle management, policy-driven encryption and continuous assurance and threat validation. This can be based on the SBOM where FDA compliance is required. Full integration with the cloud is also necessary through, for example, Azure IoT edge gateways.

All this is possible thanks to current innovations in IoT security automation, reducing costs, freeing up staff from routine security tasks and monitoring devices at scale in a way no human can.

The IoMT is on the verge of major expansion, as medicine becomes more data-driven, improving healthcare through real-time monitoring and the analysis of masses of streaming medical data using AI techniques. To reach its full potential, the IoMT demands a new, more all-encompassing approach to security to ensure the devices and data that transform healthcare can fulfil their potential.

About Author: Darron Antill

Darron has extensive experience in leading successful high-growth companies that specialise in security and analytics software and services and with specific focus on medical device manufacturers and connected healthcare environments. Formerly CEO of leading Information Security company Vistorm and CEO of AppSense, a global leader in the provision of management solutions for secure user environments, Darron’s experience covers many aspects of the security landscape. As CEO of Device Authority, he has overseen significant growth, new customer and partner acquisition and innovative product development that ensures KeyScaler is able to tackle the current and future security challenges faced by customers in their connected environments.