Micki Boland is a global cyber security expert and evangelist with Check Point Software Technologies’ Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and holds an MBA with a global security concentration from East Carolina University.

In this interview, Micki Boland presents outstanding insights into the world of medical devices, often known as the Internet of Medical Things or IoMT. Discover how healthcare systems have increased device adoption and get an in-depth look at how this has pushed healthcare leaders to rethink cyber security infrastructure. Plus, if your organization is still struggling with telehealth and remote work security best practices, these perspectives can help.

To what extent have networks had to expand and adapt in order to accommodate a coronavirus-related influx of IoMT devices?

The Covid-19 pandemic has certainly contributed to innovation, along with the rapid-scale and acceleration in adoption of new IoMT solutions. These new IoMT devices are a mash-up of smart devices, sensor technologies, software, communications protocols and networks, cloud infrastructure and services, and new security requirements. During the pandemic, new IoMT devices are helping with Covid-19 testing, real-time monitoring, Covid-19 virus tracking, surveillance, and rapid-scale health services delivery.

All of these IoMT innovations and uses are driving expansion and adaption of network architectures, network technologies and protocols for Wireless Body Area Networks (WBAN), mobile application software, and cloud infrastructure, compute, storage, networking and services for data analytics and AI driven decision-making, IoMT specific security and privacy controls, and the development of IoT/IoMT standards and reference architectures.

How has the influx of IoMT devices during the pandemic inspired healthcare to rethink its infrastructure?

First, the need for IoT/IoMT standards and reference architectures is crucial to help medical and healthcare providers to be able to invest in IoMT and (as easily as possible) “plug” these into existing infrastructure and networks. This is no easy task and organizations need to be able to invest in IoMT with assurance their strategy provides investment protection.  They do not want to have to forklift existing infrastructure or technologies. Second, organizations have the added burden of incorporating multi-layered IoMT security and privacy measures into the IoMT devices, software, infrastructure, and communication networks; both on-premise and in the cloud. On the spectrum of IoMT security and privacy and infrastructure changes, this might involve improved network segmentation, zero trust network segmentation, or complete separation of IoMT infrastructure and networks.

IEEE is working on IoT network architecture standards, and while not specific to IoMT, these architecture standards are providing for IoT and IoMT communication interoperability, systems integration, and scalability. Two new IEEE standards are P2413.1 Standard for a Reference Architecture for Smart City (RASC) and P2413.2 Standard for a Reference Architecture for Power Distribution IoT (PDIoT).  While these IoT reference architectures are not IoMT specific, these can be applied to IoMT, and should greatly advance the adoption of both IoT and IoMT security.

How are healthcare IT teams dealing with the problem of having to secure IoT devices associated with telemedicine and remote work (ex. unaffiliated laptops)?

This is a challenge for healthcare ICT and security teams. Sometimes, IT seeks to manage these unmanaged or partially managed IT assets in the same way it manages ICT devices on premise.  Many times, these are essentially IoMT devices that are only partially managed or unmanaged though medical and healthcare applications, which leverage enterprise class collaboration technology and connections to healthcare provider networks.

It might be more appropriate to classify these devices as unmanaged/partially managed IoMT sensor endpoints. The most important thing that can be done is to provide enterprises with world-class endpoint security on these IoMT sensor devices; whether laptop, tablet, or smart device.

This next generation endpoint security must provide remote access VPN, full-disk and media encryption, port protection, endpoint firewall, compliance, document encryption/security, anti-malware, anti-ransomware, behavior guard, forensics, anti-bot, URL filtering, threat emulation and anti-exploitation.

Threat intelligence telemetry from these IoMT sensors contributes greatly in the context of enterprise cyber security.  Additionally, the use of SaaS applications, strong identity and access management and multi-factor authentication can significantly reduce cyber security risk.

Organization-level governance, risk and compliance (GRC) acceptable use policies should clearly describe organizational compliance around protection of PHI, PII, corporate data, Intellectual Property, and privacy when interacting with all internal and external customers, including patients, other providers, and insurers. It should be a mandatory organization-level requirement that clearly outlines corporate rules and the penalty for non-compliance. It should also require the user to read, acknowledge and sign that they will comply annually.

By the time that IoMT devices are approved by the US Food and Drug Administration (FDA), the technology is 5 years out-of-date. How can healthcare groups contend with this?

IoMT devices are categorized as follows: clinical grade wearables, fitness wearable, ingestible sensor (smart pills), remote/home health monitoring, and point-of-care devices. The US FDA acknowledges the need for development of innovative IoMT technologies that improve device performance and protection. IoMT devices considered fitness wearables can be fast tracked, though clinical grade wearable IoMT devices are generally classified as Class II medical devices and must follow FDA Class II medical device testing.

Are there new policies and processes in development to speed up IoMT regulatory approvals?

Indeed, during the pandemic, the FDA issued Emergency Use Authorization (EUA) for specific remote or wearable patient monitoring devices to help with availability of monitoring and treatment of patients and to help address reduction of healthcare provider exposure to Covid-19.

You will read and hear about new IoMT wearables that have been rapidly FDA cleared. There is an FDA process for certain Class I and Class II medical devices where the manufacturer can demonstrate that their product is “substantially equivalent to another legally marketed device” (a predicate) that already has FDA clearance or approval.

The IoMT device manufacture submits a 510(k) premarket notification to the FDA so that it can review the product and clear it. When the FDA declares the new IoMT device is “substantially equivalent” to a predicate, it is “cleared,” and can be marketed and sold in the US.

Still curious about healthcare security gaps? Learn more here. Did you like this interview? Check back next week for part two.