The Internet of Medical Things (IoMT) has advanced the healthcare industry by strengthening its efficiency and accuracy. Smart medical devices have enabled doctors, physicians, nurses, and other medical staff to enhance the delivery of healthcare services and improve the patient experience. However, reaping the many benefits that these smart medical devices offer is not a straightforward task; IoMTs come with significant risks, and managing these risks is imperative to maintaining operational continuity and ensuring patient safety. Despite acknowledging this fact, healthcare delivery organizations (HDOs) struggle with managing IoMT risks, and below are four key reasons why.
#1: Insufficient Authentication
IoMTs are not 802.1x compliant, meaning they require alternative authentication protocols, such as MACsec and MAB. However, these protocols rely on a device’s MAC address for identification and authentication, which brings significant challenges. A MAC address database must be created and maintained, which is a tedious task and one that is vulnerable to human error. More concerning is that MAC addresses can be easily spoofed, and some devices don’t even have one, rendering MACsec and MAB futile.
The weaknesses of MACsec and MAB mean it is difficult to precisely determine which assets are connected to the network. Whether a device was erroneously authenticated or bypassed authentication entirely, the result is the same; the risks to the enterprise are unknown.
#2: Incompatible With Agents
Smart medical devices are incompatible with traditional security and inventory tools as they do not support agents. In turn, security teams have to resort to archaic and manual methods of inventorying assets and determining their identity, which is extremely unreliable. Not only is a manual inventory impractical and impossible to maintain in real-time, but it also runs the risk of devices going unaccounted for or being mistakenly identified. As such, with the asset inventory providing an inaccurate representation of the environment, security teams cannot determine the true risks.
#3: Limited Context
IT security solutions fail to differentiate between medical devices; instead, they treat every endpoint as the same. But seeing a device can only tell so much – without deeper insights into its usage and technical properties, a device’s unique context is not understood and assessed. Establishing a device’s risk posture without a complete picture of its identity and context is a paradox that misguides security teams’ perception of risks.
#4: Not Understanding Risk
Ultimately, the greatest obstacle to managing IoMT risks is not understanding them. The aforementioned challenges all encompass visibility gaps that prevent security teams from understanding an asset’s risk. Without complete visibility, certain properties, or the device itself, get overlooked, resulting in risks not being fully understood – and one cannot manage what one cannot understand, measure, and rank.
The Root of the Problem
Overcoming asset risk management challenges requires getting to the root cause of the problem; HDO security teams must have complete visibility of all IoMTs, down to their physical properties, to ensure that risks are truly and accurately represented. Doing so provides a solid foundation for effective and comprehensive asset risk management of IoMTs.