Product Security Glossary

IoMT Security

What is IoMT security? 

IoMT security deals with ensuring that medical devices can operate in a secure manner. 

What is the IoMT? 

The IoMT is the Internet of Medical Things.  By providing a constant stream of real-time data, Medical Things can help health care professionals provide more precise treatments for patients.  They can also help provide more timely care and a streamlined workflow. 

Why do we need IoMT security? 

There are two reasons why we need IoMT security.  First, is the matter of the patients’ privacy.  Medical data leaks could prove at least embarrassing, and possibly devastating to a patient.  Many countries have laws that are designed to protect patients’ privacy, such as the Health Insurance Portability and Accounting Act (HIPAA) in the United States.  Medical professionals who don’t properly safeguard patients’ medical data could find themselves in deep trouble. 

The other reason why we need IoMT security is for patients’ safety.  In many cases, a patient’s life could depend upon proper operation of an IoMT device.  These devices could be controllers for air purifiers or other environmental equipment, or they could be devices with an even higher risk such as pacemakers, insulin pumps, or morphine infusion devices.  A patient could suffer serious injury or die if a bad actor were to hack into any of these devices.  And indeed, there have been documented attacks against medical devices. 

What are the challenges with IoMT security? 

Many legacy devices that may still be in use were not designed with security in mind.  These devices may lack proper encryption for their data streams, or they may be running outdated operating systems.  Some pacemaker models lack the proper authentication mechanisms that are required for a doctor to control who can reprogram the pacemaker.  This lack of authentication would allow anyone in the vicinity of the pacemaker to reprogram it without having to authenticate.  To make matters worse, it’s possible to locate many IoMT devices simply by searching for them on Shodan, the IoT search engine.  Many devices that you’ll find on Shodan are not running with proper network security, and may even be accessible via older, vulnerable versions of Secure Shell. 

What can we do about IoMT security?

IoMT security isn’t something that can just be added onto a medical device.  Rather, it needs to be designed into the device at the very beginning of the design stage.  Programmers need to adhere to secure programming practices, and secret keys must be stored in a secure area that hackers can’t reach. Proper authentication is needed to ensure that only authorized personnel can log in. The boot process for each device must be safeguarded, to prevent attackers from replacing the legitimate operating system with something malicious. Communication must be done with strong encryption protocols, and there must be a mechanism for keeping the software and operating system up-to-date. 

When deploying medical devices, be sure that your device network is properly segmented and secured.  Also, be sure that no critical network ports are exposed to the Internet where they’ll be accessible to hackers. 

The bottom line is that IoMT security is extremely important.  It requires proper device design and proper mechanism for keeping them secure.