The adoption of connected medical devices, collectively called the Internet of Medical Things (IoMT), has transformed patient care. However, this technological advancement has also introduced cybersecurity challenges to safeguard patient safety and uphold organizational security.
Securing IoMT: Prioritizing risks
IoMT devices, ranging from infusion pumps to imaging systems, are often interconnected and communicate over networks, making them potential entry points for cyber threats. The unique nature of medical devices, often running on legacy systems with extended lifecycles, compounds the complexity of securing them.
“Healthcare organizations are constantly battling to manage devices with high CVSS scores of 9.0 and above. We found 20% of OT and IoMT devices fall into this high-risk category. Of course, these CVSS scores are valuable. However, they are often relied on when prioritizing which ones to fix. Organizations are trying to “boil the ocean” when dealing with vulnerabilities,” Ty Greenhalgh, Industry Principal for Healthcare at Claroty, told Help Net Security.
“To truly manage and prioritize risks, organizations need to look beyond technical scores and consider contextual risk factors that impact operations related to patient care. This can include identifying devices in critical care areas, legacy devices close to or past their end-of-life status, where any insecure communication protocols are, and how sensitive personal information is being stored,” Greenhalgh added.
Security weaknesses in medical devices
1. Legacy systems and outdated firmware
A significant number of medical devices operate on outdated operating systems. Studies have shown that 14% of connected medical devices run on unsupported or end-of-life operating systems, with imaging devices like x-ray and MRI systems comprising 32% of these unsupported devices. This reliance on obsolete software renders them susceptible to known exploits.
2. Default and weak authentication
Alarmingly, 21% of medical devices are secured by weak or default credentials, which are often easily obtainable from online manuals. This oversight provides a gateway for attackers to infiltrate hospital networks.
3. Unsegmented networks
Approximately 22% of hospitals have devices that bridge guest and internal networks. Shockingly, 4% of surgical devices communicate over guest networks, exposing critical equipment to potential attacks from public access points.
4. Lack of visibility and inventory management
Many healthcare organizations lack a comprehensive inventory of their connected devices. This absence of visibility hampers effective monitoring and risk assessment, leaving numerous devices unmonitored and vulnerable.
The cost of inaction
1. Attacks
The healthcare sector has become a prime target for ransomware attacks. In 2024, 92% of healthcare organizations experienced at least one cyberattack, with 69% reporting disruptions to patient care as a direct consequence.
2. FDA warnings and device recalls
In March 2019, the FDA issued warnings concerning cybersecurity vulnerabilities in Medtronic’s implantable cardiac devices. The identified flaws could have allowed unauthorized users to access and control these devices, posing severe risks to patient safety.
3. Nation-state threats
APTs have increasingly targeted healthcare infrastructures. These sophisticated attacks often aim to exfiltrate sensitive patient data or disrupt critical services, underscoring the necessity for robust defense mechanisms.
Regulatory and compliance challenges
1. FDA and medical device security regulations
The FDA has emphasized the importance of cybersecurity in medical devices, issuing guidelines that urge manufacturers to incorporate security measures throughout the device lifecycle. Compliance with these guidelines is essential to ensure both patient safety and regulatory approval.
2. HIPAA and IoMT
The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of patient information. Medical devices that handle protected health information (PHI) must adhere to HIPAA’s stringent security requirements to prevent unauthorized access and data breaches.
3. EU MDR and GDPR implications
The European Union’s Medical Device Regulation (MDR) and General Data Protection Regulation (GDPR) impose strict standards on medical device security and data protection. Non-compliance can result in substantial fines and legal repercussions, making it imperative for organizations to align their practices with these regulations.
Proactive engagement
“For CISOs, the priority should be proactive engagement. First, implement real-time vulnerability tracking and ensure security patches can be deployed quickly without disrupting device functionality. Medical device security must be continuous—not just a checkpoint during development or regulatory submission. Second, regulatory alignment isn’t a one-time effort. The FDA now expects ongoing vulnerability monitoring, coordinated disclosure policies, and robust software patching strategies. Automating security processes—whether for SBOM (Software Bill of Materials) management, dependency tracking, or compliance reporting—reduces human error and improves response times. An SBOM is valuable not just for compliance but as a tool for tracking and mitigating vulnerabilities throughout a device’s lifecycle,” Ken Zalevsky, CEO of Vigilant Ops explained.
“Finally, collaboration is essential. Medical device cybersecurity is a shared responsibility across manufacturers, healthcare providers, and regulators. Establishing clear, repeatable processes for assessing supplier risk and securing software supply chains will reduce exposure to threats like ransomware and zero-day exploits,” Zalevsky added.
Risk mitigation strategies
Building a medical device security framework:
- Asset inventory and risk assessment: Conduct thorough inventories of all connected medical devices and perform regular risk assessments to identify and prioritize vulnerabilities.
- Network segmentation and microsegmentation: Implement network segmentation to isolate medical devices from other critical systems, reducing the potential impact of a compromised device.
- Zero trust architecture: Adopt a zero trust model, enforcing strict access controls and continuous verification for all devices and users within the network.
Improving vendor security management:
- Accountability for security updates: Establish clear agreements with device manufacturers, holding them responsible for timely security patches and updates.
- Software Bill of Materials (SBOM): Require vendors to provide an SBOM, offering transparency into the components and software within each device to better assess potential vulnerabilities.
Leveraging AI and threat intelligence:
- Anomaly detection: Utilize artificial intelligence to monitor device behavior and detect anomalies that may indicate a security breach.
- Threat intelligence sharing: Participate in information-sharing initiatives to stay informed about emerging threats and vulnerabilities.
Incident response and resilience planning:
- IoMT-specific response plans: Develop incident response plans tailored to medical device security incidents, ensuring rapid containment and mitigation.
- Regular drills and simulations: Conduct tabletop exercises and simulations to prepare for potential cyber incidents, enhancing organizational readiness and response capabilities.
“The rate at which digital transformation is onboarding new devices onto the network is outpacing organizations’ abilities to track where these assets are or how they’re performing. This can lead to underutilised assets that needlessly drain budgets. CISOs must improve their understanding of how assets interact with the network to identify areas of wasteful spending and pinpoint opportunities to optimise underutilised technology. To do this, they need to embrace a visibility first mindset and establish a robust asset management system. This is essential to maximise resources and minimise financial losses,” Greenhalgh explained
“To aid this, security leaders must break down knowledge silos within their organizations. CISOs should review their current policies and engage knowledgeable stakeholders from across the organization. Clinical engineers, for instance, hold invaluable insights into the technologies behind medical devices, yet they are often excluded from asset management and network security discussions,” Greenhalgh concluded. Help Net Security
