Food and Drug Administration (FDA) regulations mandate that all medical device vendors tighten their security features with processes to find and mitigate vulnerabilities.

The FDA mandate is a step in the right direction since it costs a healthcare system $11M to recover from a cyberattack, according to IBM's 2023 Cost of a Data Breach report. The setback is not only costly financially, but it can also affect a patient's life.

Carter Groome, CEO at First Health Advisory applauds the FDA mandate and said, "Healthcare organizations have a moral duty of care in managing the risk of medical IoT devices in their environments to ensure patient safety and keep the most basic clinical operations from failing. The consequences of shirking such responsibilities have potentially grave consequences and at the very least have an adverse impact on individual and community health outcomes."

Securing medical devices presents a challenge because it requires the involvement of many stakeholders, including healthcare facilities, patients, healthcare providers, and medical device manufacturers.

Below are three primary reasons that make it difficult for Healthcare CIOs to manage medical devices and the Internet of Things (IoT).

Healthcare Organization Structure

The Biomedical department in a healthcare provider organization that manages medical IoT devices might not fall under the CIO's oversight. This arrangement can lead to a situation where the biomedical department doesn't adhere to the information security guidelines that the CIO outlines.

Some healthcare organizations have placed the biomedical department under the CIO, helping the department align with all information security requirements, but not all have made this change.

At a minimum, the recommendation is that the CIO's budget should cover all technology procurements to ensure the visibility of every technology in the organization.

Unsupported Operating Systems

Medical devices often have a long life cycle, and many run on outdated and unsupported operating systems, lacking the capability to update to a newer version.

If devices don't receive active updates to the latest version of their operating system, or if they run an unsupported operating system, hackers can exploit these vulnerabilities to steal data, penetrate a healthcare network, and disrupt care.

CIOs understand that implementing security patches and upgrades on medical devices is challenging. Unlike standard IT devices that can typically receive updates through a central system, medical devices often don't have built-in tools for software upgrades when a security patch becomes available.

Medical Device Inventory

Healthcare CIOs face challenges in capturing a comprehensive inventory of medical and IoT devices. The extensive number of connected devices, including MRI machines, wearable patient sensors, and network-connected devices, makes managing the ecosystem complex. CIOs must have an accurate medical and IoT inventory.

Zafar Chaudry, Chief Digital and Information Officer at Seattle Children's Hospital said, "Key elements of our IoT security strategy include identifying and assessing our assets and risks, educating users about the importance of IoT security, and investing in the right security tools."

Next Step

Healthcare organizations must ensure that all medical and IoT devices adhere to standard information security processes and perform a comprehensive risk assessment on each connected device.

Anahi Santiago, Chief Information Security Officer at ChristianaCare, said, "MIoT and IoT are included in our overall risk management program. Anything that touches our network or data is required to undergo a risk assessment, is subject to our security standards and our contractual requirements. We conduct continuous monitoring and asset management of the devices as well as vulnerability and patch management. If we are not able to patch, we employ compensating controls where possible to drive down risks."

The FDA's mandate responds to a long-standing concern and offers a solution to the frustrations CIOs have expressed regarding the lack of security requirements from medical device manufacturers. Most importantly, the mandate highlights that information security holds equal importance to patient safety.