HHS Asks Health Industry to Boost OT & IoMT Security

December 29, 2024HIPAA News0

The Department of Health and Human Services (HHS) asks healthcare providers to take the appropriate measures to protect the Internet of Medical Things (IoMT) and operational technology (OT). Malicious actors can exploit issues in OT and IoMT systems to gain access to internal healthcare systems, steal information, and bring about substantial operational problems.

The Food and Drug Administration (FDA) has done what is required to enhance medical device safety by telling sellers of medical devices to employ proper cybersecurity steps in the whole lifecycle of their items. Sellers need to present certification confirming that cybersecurity steps were applied in their pre-market offers. Devices with inadequate cybersecurity won’t be accepted; nevertheless, these specifications are only applicable to new medical devices in the market and not the medical devices currently in use.

Healthcare organizations may use devices for patient care, product creation, data gathering, facility operations, and other applications. Medical devices consist of patient monitors, infusion pumps, pacemakers and implantable gadgets, and medical imaging systems. All of these devices could be appealing targets for cybercriminals. Any vulnerability or security holes can be exploited to access systems connected to these devices.

OT systems are necessary for creating a secure and effective working environment and consist of security cameras, elevators, and heating, ventilation, and air conditioning (HVAC) systems. Malicious actors can also exploit vulnerabilities and poor security in OT. Successful exploitation of vulnerabilities can allow malicious actors to disrupt healthcare services and steal sensitive patient information.

IoMT and OT systems and medical devices is important for operational effectiveness and patient care; nevertheless, combining these programs and devices with IT systems heightens the danger of cyber attacks. A weakness in a medical device or HVAC system may be exploited to get a foothold in the system, where the cybercriminal can carry out an attack that brings about substantial operational problems.

Quite often, technological limitations make it hard to apply cybersecurity procedures. For example, medical imaging devices are very costly and stay in use 10 years after they were bought. The problem is the dependence of these devices on firmware or software, which may be outdated and no longer supported by sellers. Older systems usually have hard-coded default credentials that cannot be altered, and they are not supported for use with new communication protocols that use encrypted data in transit. IoMT and OT devices and systems frequently do not have role-based access controls (RBAC), meaning users might possess too many privileges. There might be inadequate authentication procedures, unencrypted data transfers, and vulnerabilities in software programs and firmware that entice cybercriminals to target these systems and devices. There might likewise be insufficient physical security, permitting suspicious physical access to IoMT and OT systems.

The Healthcare and Public Health (HPH) Sector Advisory Bulletin by the Administration for Strategic Preparedness& Response (ASPR) explained that protecting OT and IoMT equipment throughout the HPH sector demands a proactive risk-management strategy grounded in cybersecurity guidelines. The bulletin contains several suggestions for owners, information technology (IT) administrators, operators, and security experts in charge of handling OT and IoMT systems and/or involved in HIPAA training. These include:

  • Keep an extensive, correct, and updated asset inventory and make sure proper lifecycle operations
  • Incorporate the use of OT and IoMT into enterprise risk management applications
  • Utilize network micro-segmentation to separate OT and IoMT environments into very small, separated environments
  • Limit remote access
  • Manage supply chain problems
  • Protect wireless signal transmission

By carrying out these tips, healthcare companies can considerably minimize cyberattack threats, protect operational control, and secure patient data. Implementing these measures will increase trust in healthcare’s toughness against changing cyber threats and protect the integrity, availability, and confidentiality of healthcare services.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.