Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm.

Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge.

The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with the global safety science organization, UL, launched a Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity in 2016. This week, the VA announced that the program has now been completed.

The program was conducted between 2016 and 2018 and used the UL 2900 Series of Standards as a benchmark to identify critical medical device cybersecurity vulnerabilities in large-scale connected medical device deployments, including lifecycle management and created baseline cybersecurity requirements for medical device manufacturers.

“This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefiting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers,” explained Anura Fernando, UL’s chief innovation architect, Life and Health Sciences.

Throughout the two years, the VA and UL tested hypotheses to expand their understanding of medical device cybersecurity and identify security gaps between in-facility and in-home care and ensure product functionality for FIPS 140-2 compliance. A simulated hacking attack was also conducted on a UL 2900 certified medical device at the Veterans Health Administration (VHA) site in Tampa, FL.

The report shows adoption of standards helps to ensure the safety and security of new medical devices. The findings of the study have resulted in the creation of a series of actionable steps that can be taken by healthcare organizations to improve the security of their medical devices.

“The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem,” said Marc Wine, Director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs.

CRADA findings included:

  • Use of UL 2900 Series of Standards and product testing/certification accelerated adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
  • Testing and certification improved confidence in product development processes, security control design evaluation, post market patch management support provided by device manufacturers.
  • Compliance with UL 2900 enhanced endpoint security resulted in improved allocation of cybersecurity resources allowing them to be focused on critical threats to veterans’ safety and security.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.