News, news analysis, and commentary on the latest trends in cybersecurity technology.

5 Ways Hospitals Can Help Improve Their IoT Security

HIPAA compliance does not equal security, as continuing attacks on healthcare organizations show. Medical devices need to be secured.

Xu Zou, Tapan Mehta

October 17, 2023

4 Min Read
Medical devices for ultrasound examination
Source: Sergey Ryzhov via Alamy Stock Photo

Connected medical devices have revolutionized patient care and experience. However, the use of these devices to handle clinical and operational tasks has made them a target for attackers looking to profit off of valuable patient data and disrupted operations. In fact, when Palo Alto Networks scanned more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations, it found that 75% of them had at least one vulnerability or security alert.

Besides being difficult to protect, these connected devices present challenges when it comes to complying with the security requirements of laws such as the Health Insurance Portability and Accountability Act (HIPAA). Luckily, there are several strategies hospitals can leverage to bolster their defenses. Here are five actionable ways hospitals can help secure medical devices and provide life-saving patient care without disruption.

1. Maintaining Vigilant Visibility

Developing a zero-trust (ZT) security approach is critical to defend against today's sophisticated attacks, but the first step is establishing complete visibility of all assets across the network. Infosec and biomed teams need a comprehensive picture of all the assets being used on a hospital's network and how many are connected medical devices to get a clear understanding of their points of vulnerability. Then teams must go beyond the device level by identifying the main applications and key components that are running underneath the operating system to truly enforce a ZT approach. For example, having insights into various applications, such as electronic health records (EHRs), picture archiving, and communications systems (PACS), that process digital imaging and communications in medicine (DICOM) and Fast Healthcare Interoperability Resources (FHIR) data and other business-critical applications can improve the overall visibility posture of assets.

2. Identifying Device Exposures

Many devices are linked to different vulnerabilities that fall under two categories: static and dynamic exposures. For example, static exposures typically consist of Common Vulnerabilities and Exposures (CVEs) that can be independently addressed. In contrast, dynamic exposures can be found in how devices communicate with each other and where they send information (within the hospital or to third parties), making them more challenging to identify and address. Luckily, artificial intelligence (AI) and automation will play an increasingly important role in helping hospitals identify these exposures by providing data-driven insights and proactive recommendations on how to remediate them more efficiently.

3. Implementing a Zero-Trust Approach

Once hospitals have a clear grasp of their assets and exposures, they can embrace a ZT approach by limiting access to vulnerable devices and applications. By separating devices and workloads into microsegments, administrators can better manage security policies based on least privilege access. This can help hospitals reduce their attack surfaces, improve breach containment, and strengthen regulatory compliance by placing devices onto various segments with different requirements and security controls. For example, if a computer is compromised within the hospital, microsegmentation can limit the damage to that specific device without impacting medical devices critical to patient care.

4. Rolling Out Virtual Patching for Legacy Systems

Medical devices have been in use at hospitals for over a decade and, as such, often run on legacy software and systems. Because of their use requirements, hospitals may not be able to upgrade or patch the specialized medical system, which can lead to a variety of unique security issues. Additionally, hospitals may not be able to afford to take devices offline to update or patch due to the risks of loss of care for the patient. As hospitals adopt a ZT approach, they can invest in other forms of protection, such as virtual patching to reduce medical device exposures. For example, tools like next-generation firewalls can apply defenses around the device's network and application layers without needing to physically touch the device.

5. Instituting Transparency Across the Ecosystem

Communication and transparency are critical to preventing threats from the start. Hospital CSOs and infosec teams must be included in the device procurement process because they offer a critical perspective on how to best protect devices throughout their life cycles. Hospitals, security teams, vendors, and device manufacturers must work together to create solutions and strategies that keep security at the forefront of a medical device's defense. Historically, when hospitals were under attack, security teams worked together to defend against attackers. However, post-attack, the information stayed between the security teams and hospitals, with very little information (if any) going back to inform the device manufacturer about how they could improve their devices' security. Hospitals must be more proactive when it comes to sharing direct feedback with device manufacturers on areas for improvement.

Ultimately, as cybersecurity policies continue to evolve for medical devices, there are ways in which we can create solutions to solve security challenges both now and in the future. Regardless of the unknowns, we can make a more proactive effort to ensure we're enabling a shift-left approach to security and fostering a culture of cyber resiliency for the medical community.

About the Authors

Xu Zou

VP of Products / IoT Security, Palo Alto Networks

Xu Zou is VP of Products, IoT Security at Palo Alto Networks. Xu joined Palo Alto Networks via the acquisition of Zingbox, the IoT security startup he co-founded in 2014. Before starting ZingBox, Xu was senior director of Aerohive Networks, where he launched Aerohive's cloud-based Bring-Your-Own-Device (BYOD) security product. Prior to Aerohive, Xu was senior director of Aruba Networks, where he managed Aruba's industrial and carrier product line. Xu joined Aruba through the acquisition of Azalea Networks, where Xu was a founding member and the VP of Software. Before Azalea Networks, Xu was a senior engineer at Airespace, acquired by Cisco in 2005. Xu has an Executive MBA from Wharton School, University of Pennsylvania; and holds an M.S. in Computer Science from Michigan State University and a B.S. in Computer Science from Tsinghua University. Xu also holds 10 international patents on security and networking.

Tapan Mehta

Global Leader of Healthcare Strategy & Solutions, Palo Alto Networks

Tapan Mehta is the global leader for Healthcare Strategy & Solutions at Palo Alto Networks, accountable for the overall global strategy, solution development, thought leadership, business development efforts, and go-to-market execution.

Tapan brings a wealth of healthcare domain knowledge by relying on 20-plus years of experience with extensive expertise in strategy, industry solutions, thought leadership, partner alliances (start-ups and technology vendors), consultative engagements, C-suite relationship building, and overall GTM execution. He has held leadership positions leading cross-functional teams to develop innovative solutions, win market share, and incubate new business models.

Tapan has strong clinical and technology domain expertise in several areas such as health informatics, patient experience, clinical workflows, virtual healthcare, regulatory and security compliance (e.g., HIPAA, PCI), Internet of Things (IoT) security, cloud computing, and data analytics. He is passionate about helping customers transform their businesses by leveraging technology, people, and process with the goal of improving the quality of care and patient outcomes.

Tapan is a graduate of the University of Michigan where he studied electrical engineering with a minor in business administration. He has spoken at several healthcare conferences such as HIMSS, CHIME, H-ISAC, ATA, and Medical Device Connectivity and continues to be an active member in the global healthcare community.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights