The Healthcare XIoT: Key Concepts to Understand

Historically, medical devices involved in physical processes have been air-gapped, isolating them from healthcare IT networks and the internet. But with digital transformation, the growing interconnectivity of cyber-physical systems has given rise to the Extended Internet of Things (XIoT) in various industries, including Healthcare. XIoT is made up of various forms of operational technology (OT), such as industrial control systems (ICS), industrial internet of things (IIoT) assets, and building management systems (BMS), as well as internet of medical things (IoMT) and other types of connected clinical devices. This holistic umbrella term encompasses the aforementioned cyber-physical systems (CPS) across industrial, healthcare, and commercial environments globally.

In healthcare delivery organizations (HDOs), the XIoT presents ample opportunity for efficiency and performance advantages, but also introduces new types of cyber risk that must be mitigated. To better understand the scope of what needs to be secured, let’s take a look at some key concepts related to the healthcare XIoT.

Core Healthcare XIoT Capabilities

Transducer, interface, and support capabilities are integral to the healthcare XIoT, enabling productive connections between medical devices, building management systems (BMS), operational technology (OT), information technology (IT), and other devices.

transducer capabilities

serve as the bridge that enables computing devices to interact directly with the physical world. Transducer capabilities include:

• Sensing capabilities, which provide an observation of an aspect of the physical world in the form of measurement data. Examples include blood pressure monitoring systems and radiographic imaging.

• Actuating capabilities, which encompass processes that execute physical actions. Examples include infusion pumps, cardiac electric shock delivery, electronic door locks, and robotic arms.

interface capabilities

enable device interactions, encompassing both device-to-device and human-to-device communications. These include:

• Human-user interface, the ability for an XIoT device and people to communicate directly with each other. Examples include touch screens, haptic devices, microphones, cameras, and speakers.

• Network interface, the ability to leverage a communication network, including both hardware and software. Examples of network interface capabilities include Ethernet, Wi-Fi, Bluetooth, LTE, and ZigBee. Every XIoT device has at least one enabled network interface capability.

supporting capabilities

provide functionalities that help enable other IoT capabilities. Examples include device management, cybersecurity, and privacy. 

The Role of the IoMT and OT

The Internet of Medical Things (IoMT) refers to connected devices and applications that directly relate to cyber patient safety & care, such as MRI machines, CT scanners, and vital sign monitors. These IoMT devices connect to other types of assets within the broader healthcare XIoT.

Unlike conventional IT devices, many IoMT devices interact directly with the physical world and can therefore be considered cyber-physical systems. Two examples include infusion pumps, which regulate the delivery of life sustaining medication, and implanted cardioverter defibrillators, which deliver electrical shocks and restore the heart to normal rhythms. Both of these devices are used to improve patient outcomes and enhance the efficiency of healthcare delivery. 

Beyond IoMT devices, other types of OT are also used to support critical healthcare processes, including programmable logic controllers (PLCs), remote terminal units (RTUs), and building management systems (BMS) that control air filtration, power, vaccine refrigeration, and more. Typically managed by facilities engineers, these forms of OT often leverage internal connections to engineering workstations that can be accessed remotely for maintenance.

The High Stakes of Disruptive Attacks

When it comes to securing operations, the stakes are uniquely high for the healthcare sector, given the potentially life-threatening impact of failures or disruptions. For instance, emergency room doctors rely on a CT scanner’s availability and integrity to quickly diagnose stroke patients. A delayed or misdiagnosis due to a compromised CT scanner could easily result in loss of a patient’s motor functions, brain damage, or even death.

In September 2020, the first patient death attributed to a cyber attack occurred at Dusseldorf University Clinic in Germany. During this attack, ransomware targeting IT systems containing electronic health records inadvertently impacted OT devices connected to the network. As a result, all ER-bound heart and stroke patients were diverted. The nearest facility was 32 kilometers away, resulting in the tragedy of one patient who died in transport. 

White-hat hackers have simulated the impacts vulnerabilities in IoMT devices could have by increasing dosages or manipulating shocks that result in sudden death. Fortunately, such attacks have yet to be carried out in reality. However, the proven feasibility of such an incident attests to the urgency of securing the healthcare XIoT.

Common Mistakes and Key Considerations

Amid mounting cyber threats to healthcare, The Joint Commission has been directed by the Center for Medicare and Medicaid Services (CMS) to initiate audits on the cybersecurity for medical devices. Unfortunately, many healthcare organizations still make one of the following mistakes:

1. Attempt to use existing IT security tools. This disjointed approach will inevitably fail, due to the fact that IT security tools are fundamentally incompatible with the protocols and workflows used by cyber-physical systems. In many cases, IT solutions lack the capabilities to identify assets and devices, let alone help secure them.

2. Use disparate, specialized tools to manage and secure cyber-physical systems separately from IT systems. This cumbersome, inefficient approach inevitably creates costly management overhead and visibility gaps.

In your effort to avoid these mistakes, it’s helpful to keep these three considerations in mind:

1. Unlike IT, XIoT devices interact with the physical world. This ups the ante for potential risk implications, especially in a healthcare setting, where patients’ lives may depend on reliable device performance.

2. Conventional wisdom surrounding IT security does not apply to the XIoT. Even the most seasoned IT security veterans should approach the XIoT with a beginner’s mindset.

3. Traditional IT cybersecurity tools are incompatible with the XIoT, and attempting to use them will likely do more harm than good. To properly protect their XIoT, healthcare organizations need purpose-built cyber-physical security technology.

The Value of a Unified Approach

These conditions make it abundantly clear that organizations need a new approach for securing the ever-expanding universe of XIoT. The ideal solution is a unified approach that leverages:

• Broad domain knowledge of the systems and workflows that underpin each vertical and environment leveraged in your organization’s network.

• Deep capabilities, including full-spectrum visibility, risk and vulnerability management, threat detection, and secure remote access controls—all of which should also integrate seamlessly with an organization’s existing technology stack

There’s not yet an easy fix for ensuring reliable patient care amid security challenges driven by digital transformation and evolving cyber threats. But so long as healthcare cybersecurity teams understand that outside expertise and specialized tools are needed to properly protect the XIoT, they can begin the critical processes of doing so.

Securing the Healthcare XIoT with Claroty 

As we’ve learned, a successful healthcare XIoT cybersecurity strategy requires adaptation to today’s rapidly evolving environment, where threat actors are increasingly weaponizing XIoT. To create a strategy that supports both resilience and business growth, organizations should implement a unified approach similar to the above. The HDOs that support patients' lives rely heavily on connectivity between the cyber and physical world, making the safety and security of their devices paramount. Guaranteeing this safety starts with a strong CPS security strategy and a robust protection platform that can help.