HHS Urges Health Sector to Improve OT & IoMT Security
The Department of Health and Human Services (HHS) has urged healthcare organizations to take steps to safeguard operational technology (OT) and the Internet of Medical Things (IoMT). Vulnerabilities in OT and IoMT systems could potentially be exploited by malicious actors to access internal healthcare networks, steal data, and cause significant operational disruption.
The Food and Drug Administration (FDA) has taken steps to improve medical device security by requiring vendors of medical devices to implement appropriate cybersecurity measures covering the entire lifecycle of their products. Vendors must provide documentation verifying that cybersecurity measures have been implemented in their pre-market submissions. Devices with insufficient cybersecurity will not be approved; however, these requirements only apply to new medical devices that are brought to market, not the large number of medical devices already in use.
Devices may be used by healthcare organizations for patient care, product manufacturing, data collection, facility management, and other purposes. Medical devices include infusion pumps, patient monitors, medical imaging systems, and pacemakers and implantable devices, all of which can be attractive targets for cyber actors. Vulnerabilities and security gaps may be exploited to gain access to the systems and networks to which these devices connect.
OT systems are used to create a safe and efficient working environment and include heating, ventilation, and air conditioning (HVAC) systems, elevators, and security cameras. Vulnerabilities and weak security in OT may also be exploited by malicious actors. If vulnerabilities are exploited, malicious actors can cause massive disruption to healthcare services and steal sensitive patient data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The integration of OT and IoMT systems and medical devices is vital for operational efficiency and patient care; however, integrating these systems and devices with IT networks increases the risk of cyber threats. A vulnerability in a medical device or HVAC system could be exploited to gain a foothold in the network, where the threat actor can conduct an attack that causes massive operational disruption.
Oftentimes, technological constraints make it difficult to implement robust cybersecurity measures. For instance, medical imaging devices are expensive and may still be in use decades after they were purchased. These and other devices may have outdated firmware or rely on software that is no longer supported by vendors. Older devices often have default credentials, which may be hard-coded and cannot be changed, and they may not support the latest communication protocols that encrypt data in motion. OT and IoMT devices and systems often lack role-based access controls (RBAC), which means users may have excessive privileges. There may be insufficient authentication measures, unencrypted data transmissions, and vulnerabilities in software and firmware that may these systems and devices potential targets for cybercriminals. There may also be a lack of physical security, allowing unauthorized physical access to OT and IoMT systems.
“Securing OT and IoMT equipment across the HPH sector requires a proactive risk-management approach rooted in cybersecurity best practices,” explained the Administration for Strategic Preparedness& Response (ASPR) in its Healthcare and Public Health (HPH) Sector Advisory Bulletin. The bulletin includes several recommendations for owners, operators, information technology (IT) administrators, and security teams responsible for managing OT and IoMT environments. These include maintaining a comprehensive, accurate, and up-to-date asset inventory and ensuring proper lifecycle management, integrating the deployment of OT and IoMT into enterprise risk management programs, using network micro-segmentation to divide OT and IoMT environments into extremely small, isolated environments, ensuring robust restrictions on remote access, managing supply chain risks, and securing wireless signal transmission.
“By implementing these recommendations, healthcare organizations can significantly reduce cyberattack risks, safeguard operational integrity, and protect patient data,” explained ASPR. “Adopting these measures will enhance trust in healthcare’s resilience against evolving cyber threats and contribute to the confidentiality, integrity, and availability of healthcare services.”
