By Anand Oswal, Senior Vice President and GM at cyber security leader Palo Alto Networks
Connected medical devices, also known as the Internet of Medical Things or IoMT, are revolutionizing healthcare, not only from an operational standpoint but related to patient care. In hospital and healthcare settings around the world, connected medical devices support critical patient care delivery and a wide variety of clinical functions, from medical infusion pumps and surgical robots to vital sign monitors, ambulance equipment, and so much more. At the end of the day, it’s all about patient outcomes and how to improve the delivery of care, so this kind of IoT adoption in healthcare brings opportunities that can be life-changing, as well as simply being operationally sound.
Yet, enabling these amazing patient outcomes through IoT technology brings with it an associated set of security risks to hospitals and patients that are in the news far too often. ransomware, for example, is a particularly prevalent threat to healthcare providers around the world. In August 2022, the French hospital Center Hospitalier Sud Francilien (CHSF) was the victim of a ransomware attack that disabled medical imaging and patient admission systems. And in October 2022, CISA issued an advisory to healthcare providers warning of a ransomware and data extortion group targeting the healthcare and public health sector with a particular interest in accessing database, imaging, and diagnostics systems within networks. But ransomware isn’t the only risk. In fact, according to a report in HIPAA Journal, there has been a 60% increase in cyberattacks of all varieties in healthcare in 2022,1 making it an unfortunately routine aspect of delivering care that the industry must be prepared to address.
Why Medical IoT Devices Are at Risk
There are a number of reasons why medical IoT devices are at risk. Among the most common reasons is the fact that many of these devices are not designed with security in mind.
Many connected devices ship with inherent vulnerabilities. For example, according to research from Unit 42, 75% of infusion pumps have unpatched vulnerabilities.2 Over half (51%) of all X-Ray machines had a high severity CVE (CVE-2019-11687), with around 20% running an unsupported version of Windows.3
Unit 42 research also found that 83% of ultrasound, MRI, and CT scanners run on an end-of-life operating system.4 Those operating systems have known vulnerabilities that can potentially be exploited. Attackers are known to target vulnerable devices and then move laterally across the organization’s network to infect and damage the rest of a hospital network.
The impact of medical IoT device vulnerabilities is serious and potentially life-threatening. It’s not always easy and sometimes not even possible to update or patch some of these devices, either because doing so requires operational disruption of care delivery or due to a lack of computing capability of many types of devices. As a result, we’ve seen patient data exposed. We’ve seen hospital operations halted. While the attack potential is widespread, healthcare providers can take proactive steps to help minimize the vast majority of device-related security risks.
Among the challenges that medical facilities and health providers face is actually being aware of all the connected devices that are present. Visibility, however, isn’t the only thing that is needed to improve medical device security. In fact, there are four steps that can be taken to secure devices and reduce risk:
- Ensure visibility and risk assessment of all connected medical and operational devices. The first step in securing IoT in healthcare is to know what’s there; you can’t secure what you can’t see. Device visibility isn’t enough—you have to be able to continuously assess the risk the devices and their evolving vulnerabilities pose to the network.
- Apply contextual network segmentation and least-privileged access controls. Knowing a device is present is useful. What’s more useful is understanding what network resources or information can be accessed by the device. That’s where network segmentation comes into play, creating and enforcing policies that limit device access to only the resources necessary for its intended use and nothing more.
- Continuously monitor device behavior and prevent known and unknown threats. As these devices communicate across clinical environments and with external networks and services, they ensure that you establish baseline behavior, monitor devices for anomalous behavior, and protect network-connected devices against threats such as malware.
- Simplify operations. In order to effectively manage and secure the sheer volume of devices on a healthcare network, providers require a solution that integrates with existing IT and security solutions to eliminate network blind spots, automate workflows, and reduce the burden of tedious manual processes for network administrators.
Better IoT Security Helps Ease Regulatory Compliance Challenges
Understandably, there are a lot of compliance requirements in healthcare. Healthcare compliance covers numerous areas like patient care, managed care contracting, Occupational Safety and Health Administration (OSHA), and Health Insurance Portability and Accountability Act (HIPAA) privacy and security, to name a few. Any attack involving a patient system or medical IoT device is most likely a compliance breach, resulting in the loss of sensitive data or access to sensitive data from unauthorized entities. Limited IoMT visibility and risk assessment make it difficult to meet regulatory, audit, and HIPAA requirements. Having complete visibility into all devices and their utilization of data reduces the burden of preparing for compliance audits and compiling compliance reports.
Humans place their trust in medical professionals to improve and sustain human health. Medical facilities rely on their technology to do the same. But trust should not be granted by default. It needs to be continuously monitored and validated. That’s where a Zero Trust approach comes into play.
Zero Trust, in very straightforward terms, is a cybersecurity strategy that seeks to eliminate implicit trust for any user, application, or device accessing an organization’s network. Zero Trust is not a product. For many customers, Zero Trust is a journey. For medical IoT security, Zero Trust starts from understanding several key things:
- Who is the user of the device?
- What is the device?
- What is the device supposed to do?
- Is the device doing what it is designed for?
On a continuous basis, Zero Trust means monitoring devices and their behavior for threats, malware, and policy violations to help reduce the risk by validating every interaction.
Take the Zero Trust Path of Least Resistance to Improve Healthcare IoT
Healthcare IT and security teams are overburdened, so security implementation shouldn’t be onerous. Improving security for medical IoT devices shouldn’t require a forklift upgrade of hospital networks either.
Most healthcare providers already have network firewalls that act as enforcement points for Zero Trust device security. When you want to enable visibility, risk assessment, segmentation, least privilege policies, and threat prevention on the journey toward Zero Trust, it should be done with as little friction as possible. Machine learning (ML) can also dramatically accelerate policy configuration, which can be automated. If security becomes another big project that requires significant human effort, it has less chance of being successful. Security needs to be integrated, easy to deploy, and as automated as possible.
Medical IoT devices help to improve human healthcare every day. Just like humans need to do the right things to stay healthy, it’s essential for medical IoT devices to stay healthy too. Lives literally depend on it.
1. “Healthcare Seeks 60% YoY Increase in Cyberattacks,” HIPAA Journal, November 17, 2022,
2. Aveek Das, “Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization,” Unit 42, March 2, 2022,
3. Jun Du, Derick Liang, Aveek Das, “Windows XP, Server 2003 Source Code Leak Leaves IoT, OT Devices Vulnerable,” Unit 42, November 6, 2020,