The FDA is Worried About the Internet of Medical Things – What About You?

Privacy and the loss of patient data aren’t all that’s at risk in the Internet of Things (IoT) era. As more healthcare providers look to Internet-enable everything from blood pressure cuffs to insulin pumps and heart monitors, the risk to patient safety is equally worrisome. The FDA has done its part to address the risk with new guidelines for medical device security, but healthcare providers need to do their part, too.

The use of connected medical devices in healthcare is exploding as more healthcare providers realize the wealth of benefits for streamlining processes, improving patient monitoring and delivering better health outcomes. In fact, Research and Markets report that the patient monitoring device market is expected to grow at a CAGR of 5.6% to reach 24,762 million devices in use by 2020.

While healthcare execs begin to talk about the connected medical device risks to data exposure and systems themselves, the FDA is the first to bring up the issue of patient safety. Its new guidelines address device security at the manufacturing level, offering best practices for manufacturers to assess, remediate and report cybersecurity vulnerabilities in medical devices. In addition to recommending that manufacturers adhere to the 2014 NIST Framework for Improving Critical Infrastructure Cybersecurity, the guidelines push them to:

  • Constantly and consistently monitor for device flaws and risk.
  • Set up a strong vulnerability disclosure policy and program.
  • Deploy any mitigations quickly and efficiently.

IoT Security, Beyond the Manufacturing Level

While addressing security at the manufacturer level is a start, it’s simply not enough when it comes to IoT security. Healthcare providers must also do their part to ensure connected medical devices remain safe for patient use – after they are deployed in a healthcare network environment. Best practices include:

  • Isolating IoT devices on their own network: This way, if hackers exploit IoT vulnerabilities, they can’t easily move laterally to gain access to critical data on other devices and servers.  Healthcare providers should consider Internal segmentation firewalls for required protection, segregation and segmentation of patient data and critical healthcare systems.

  • Disabling Universal Plug and Play (UPnP) on all Wi-Fi routers: UPnP lets devices connect automatically to the wireless network, and since it is self-configuring, it is easy for criminals to exploit. Disabling the feature is a simple way to thwart attacks.
  • Choosing vendors carefully: Healthcare providers should bring IoT into their traditional procurement process, and ensure they only purchase IoT devices from manufacturers with strong security and patient safety track records.
  • Watching the passwords: Many times, IoT devices ship from the manufacturer with easy-to-break default passwords. Healthcare providers should ensure all default passwords are changed to strong passwords prior to deployment on-site, and that all patients are educated to ensure they use strong passwords in home healthcare settings as well.

IoT and connected medical devices offer healthcare providers a wealth of benefits, but they also open up a variety of new vulnerabilities. Smart providers take steps to know where they’re most vulnerable and lock down their environment. Our partner, Fortinet, offers complimentary threat assessments to healthcare providers, as well as a complete “ecosystem” of security products designed specifically for the complex healthcare environment.