In yet another sign that the vulnerability of the internet of things (IoT) is becoming a priority issue for both healthcare organizations that are adopting connected medical devices, and for a U.S. federal government concerned with mandating a stronger cybersecurity posture for America’s critical infrastructure and at-risk industries, Congress is now considering the bipartisan Protecting and Transforming Cyber Health Care (PATCH) Act of 2022. The PATCH Act (HR 7084) was introduced in the House of Representatives on March 15, and its companion bill (S 3983) was introduced in the Senate on March 31.
Intended to strengthen the security of connected medical devices—also known as the internet of medical things (IoMT)—the PATCH Act would compel medical device manufacturers to demonstrate that their products meet certain minimum security requirements before being approved for use. Among the mandatory measures:
- A plan to monitor, identify, and address vulnerabilities and exploits within a reasonable time once devices are approved and in use;
- A plan to coordinate communication and disclosure of any discovered vulnerabilities with the Food and Drug Administration (FDA);
- Processes for patching vulnerabilities and other needed updates throughout a device’s entire lifecycle; and,
- Disclosure of a software bill of materials (SBOM) to the FDA and device users.
The Threat is Real and Rising
The healthcare industry is among the most frequently targeted by threat actors, and heavily reliant on connected medical devices. One recent study found that as many as 75% of all medical devices contained at least one vulnerability, and another study found that the average hospital has an inventory of more than 3,850 IoMT devices. And, according to industry reports, 49% of smaller medical organizations don’t have a cyber-attack response plan in place, 679 U.S. hospitals were breached by cyberattacks in 2021, and the U.S. Department of Health and Human Services issued a warning that cyberattacks are likely to rise as cybergangs and state-sponsored hacker groups increase activity as a result of ongoing conflict in Eastern Europe.
Poor security and inadequate vulnerability disclosure is not just an issue plaguing the IoMT. EE Times recently reported that, across all use cases, the security of connected devices is a major concern, and that manufacturers of such products are not reporting known issues and vulnerabilities with their goods. Our research report—Rise of the Machines 2021: State of Connected devices — IT, IoT, IoMT and OT—found that, in addition to IoMT, healthcare networks are populated with devices like Pelotons, smart speakers, game consoles, vending machines, and many more unmanaged devices, compounding security challenges.
PATCH Act and Action Needed
Ordr supports the PATCH Act and its goals of increasing security for healthcare organizations and the welfare of the millions of patients who rely on them for treatment. However, hospitals and other healthcare organizations cannot afford to wait for the PATCH Act to take effect if it ever becomes law. The threat to their IT networks is real and present. We recommend the immediate adoption of a number of security best practices to effect stronger security now, and to increase readiness and resiliency in the event of an attack. These include:
- Implement IoMT, IoT, and operational technology (OT) device discovery to compile and maintain a real-time inventory of devices: You can’t protect what you don’t know about. Security starts with real-time visibility of exactly what you have in your network and how those components are communicating in the network.
- Monitor all devices for suspicious behavior: Unlike most IT systems and software, medical devices, and many IoT and OT devices have deterministic functions. Any deviation from normal patterns can be an indication of attack or compromise. Using machine learning to baseline normal device behavior can ensure rapid response and threat mitigation.
- Track who is using your devices: By tracking and associating devices to users, you can identify compromised devices and also potential account misuse.
- Implement Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing “normal communications” required for its function, while limiting exposure.
Ordr, an unprecedented three-time leader in healthcare IoT security as determined by the independent KLAS Research, has the tools and expertise to help healthcare organizations see, control, and secure their entire connected device inventory. The Ordr platform is trusted by many of the world’s leading healthcare delivery organizations. You can trust us to protect your healthcare organization, too.