Check out all the on-demand sessions from the Intelligent Security Summit here<\/a><\/em>.<\/p>\n

\n<\/div>\n
It\u2019s now become an unfortunate reality that U.S. hospital systems and other healthcare delivery organizations must look solely to their own leadership on Internet of Medical Things (IoMT)<\/a> device and data security, as new legislation won\u2019t be doing them any favors. With vulnerable IoMT devices a particularly popular pathway for ransomware and malware, the government\u2019s relative inaction is worrisome.<\/p>\n
Healthcare security legislation, watered down<\/h2>\n
Many hospitals have championed the inclusion of medical device security provisions in this year\u2019s appropriations bill responsible for funding the U.S. Food and Drug Administration (FDA) and reauthorizing FDA user fee programs. <\/p>\n
In June, a version of the bill that would have placed new legally binding security requirements on IoMT device manufacturers easily passed in the House of Representatives. That bill would have \u2014 and should have \u2014 held manufacturers responsible for assessing the cybersecurity of their internet-connected devices before<\/em> bringing them to market. It would also have required them to provide a software bill of materials (SBOM<\/a>) for transparency and greater security insights into device software components and vulnerabilities.<\/p>\n
However, those device security provisions were stripped out<\/a> of the version of the bill that passed at the end of September, as FDA funding was set to expire and disappointing compromises were carried out against the clock.<\/p>\n
<\/p>\n
\n
Event<\/h3>\n
\n
Intelligent Security Summit On-Demand<\/span><\/p>\n
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n

\n Watch Here <\/a>\n <\/p>\n<\/div>\n
<\/body><\/p>\n
The PATCH Act<\/h2>\n
Hope isn\u2019t lost for IoMT security requirements at the federal level. Introduced in March, the Protecting and Transforming Cyber Health Care (PATCH) Act<\/a> would impose similar requirements. Device manufacturers would have to demonstrate cybersecurity precautions to the FDA before going to market; provide transparent SBOMs; and deliver timely device security updates throughout their products\u2019 lifecycles. <\/p>\n
In June, the PATCH Act was endorsed by the American Hospital Association<\/a>, which represents nearly 5,000 healthcare delivery organizations and millions of healthcare professionals.<\/p>\n
While medical device security proponents rightfully view the watered-down FDA appropriations bill as a frustrating missed opportunity, efforts such as the PATCH Act and others that enforce security at the manufacturer level will certainly continue.<\/p>\n
But attackers aren\u2019t waiting patiently while lawmakers get their act together (whether it\u2019s PATCH or another measure). They are continuing to launch daily attacks on IoMT devices rife with vulnerabilities<\/a>. With the government cavalry not coming to the rescue, the industry needs to rely on its own wherewithal to secure its internet-connected devices and systems as effectively as possible.<\/p>\n
Healthcare security faces daunting IoMT challenges <\/h2>\n
Healthcare security teams are up against challenging limits. The industry largely depends on especially heterogeneous fleets of medical devices, with technology implementations ranging from the state-of-the-art to the woefully outdated. Traditional device security scanning to detect threats is often inapplicable because such scans will crash legacy devices.<\/p>\n
Among the IoMT devices increasingly ubiquitous in many healthcare delivery environments, device manufacturers publish 2,000 to 3,000 vulnerabilities in an average month. But publishing vulnerabilities is one thing; actually patching them is another story. Even the most dutiful manufacturers patch just one in 50 of those vulnerabilities.<\/p>\n
Network segmentation isn\u2019t a strong option either since, without frequent maintenance, the addition of new devices inevitably erodes segmentation into a flat network.<\/p>\n
The biggest limitation of all is one that distinguishes healthcare security from any other industry: Security teams can\u2019t unilaterally deactivate vulnerable IoMT devices. Instead, they must balance their concerns with clinicians, because devices may be essential to patient experiences; even outcomes.<\/p>\n
Security teams can easily exhaust their resources attempting to mitigate every device vulnerability in their environments, without achieving comprehensive results.<\/p>\n
Zeroing in on the true IoMT threats<\/h2>\n
That said, there\u2019s a great opportunity for healthcare delivery organizations\u2019 cybersecurity<\/a> teams to efficiently solve these security issues. According to exploit analysis, 90% of vulnerabilities in a given IoMT environment don\u2019t actually present any risk. <\/p>\n
This is because medical device exploits closely depend on the use case and the software components that are used in normal operation. Attackers<\/a> carefully explore these factors, and will exploit the same vulnerability using different tactics based on what\u2019s possible in a given scenario. Security teams can use the same approach to vastly narrow the battleground they must defend, accurately recognizing their true risks and concentrating resources on addressing the actual threats at hand.<\/p>\n
The future of government leadership on enforcing medical device security at the manufacturer level is up in the air, and, realistically, it may remain so for some time. <\/p>\n
So, healthcare delivery organizations must seize the initiative to protect their environments from attacks. They must do so by strategically optimizing security practices and prioritizing the true threats among the myriad IoMT device vulnerabilities they have to live with.<\/p>\n
Shankar Somasundaram is CEO of<\/em><\/a> Asimily<\/em><\/p>\n
\n
DataDecisionMakers<\/h3>\n
Welcome to the VentureBeat community!<\/p>\n
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.<\/p>\n
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.<\/p>\n
You might even consider\u00a0 contributing an article<\/a>\u00a0of your own!<\/p>\n
Read More From DataDecisionMakers<\/a><\/p>\n<\/div>\n
\t\t\t\t<\/html><\/div>\n<\/p><\/div>\n
Read More<\/a>
\n Shankar Somasundaram, Asimily<\/p>\n","protected":false},"excerpt":{"rendered":"
December 31, 2022 11:10 AM Image Credit: Poomsak Thammasermsakul \/\/ Getty Images Check out all the on-demand sessions from the Intelligent Security Summit here. It\u2019s now become an unfortunate reality that U.S. hospital systems and other healthcare delivery organizations must look solely to their own leadership on Internet of Medical Things (IoMT) device and data<\/p>\n","protected":false},"author":1,"featured_media":592879,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[284,91500,46],"tags":[],"class_list":{"0":"post-592878","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-government","8":"category-inaction","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/592878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=592878"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/592878\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/592879"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=592878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=592878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=592878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Event<\/h3>\n\nIntelligent Security Summit On-Demand<\/span><\/p>\nLearn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n