Best Practices for Securing IoMT Devices in Healthcare
Post Summary
Securing Internet of Medical Things (IoMT) devices is critical for patient safety and healthcare data protection. These connected devices, ranging from pacemakers to infusion pumps, are increasingly targeted by cyberattacks. Key practices include:
- Building a Complete Device Inventory: Identify and document all IoMT devices, including their connectivity type, firmware, and clinical role.
- Risk Assessment: Prioritize devices based on clinical impact, vulnerabilities, and exposure.
- Network Segmentation: Isolate devices into zones (e.g., life-support devices in one VLAN) and adopt Zero Trust principles to minimize risks.
- Device Hardening: Update default settings, enforce strong authentication, and apply patches where feasible. Use compensating controls for legacy devices.
- Continuous Monitoring: Establish baselines for device behavior, detect anomalies, and conduct safe vulnerability assessments.
- Vendor Risk Management: Include cybersecurity requirements in contracts and control third-party access.
- Lifecycle Management: Secure devices from onboarding to decommissioning, ensuring data is wiped and credentials are revoked.
Cybersecurity regulations, like the FDA’s requirements for “cyber devices,” demand proactive measures. Hospitals must integrate IoMT security into their broader enterprise risk management strategies to safeguard patients and comply with laws.
Leveraging Advanced IoMT Security Tools for Comprehensive Lifecycle Management
sbb-itb-535baee
Building an IoMT Asset Inventory and Risk Assessment
With regulatory requirements and the pressing need to safeguard medical devices, creating a thorough inventory and conducting risk assessments is non-negotiable. Simply put: you can't protect what you don't know exists. Before implementing firewalls, patches, or access controls, healthcare organizations must have a clear and accurate understanding of every connected medical device on their network. This starts with building a complete asset inventory.
Creating a Complete Device Inventory
A reliable inventory for Internet of Medical Things (IoMT) devices goes beyond the obvious. It includes infusion pumps, bedside monitors, imaging systems, lab analyzers, and networked clinical controls - essentially, every connected device.
No single discovery method captures everything. The best results come from combining passive network monitoring (which identifies devices based on traffic patterns like DICOM or HL7 without interfering with operations) with data from existing systems like CMMS and biomedical databases, DHCP logs, and physical audits conducted by clinical engineering teams. This approach is crucial for identifying "shadow devices", which may connect sporadically or be stored on mobile carts.
For each device, document key details such as ID, manufacturer, model, serial number, firmware version, network information (IP/MAC, VLAN, subnet), clinical department, whether it handles PHI, and its connectivity type. Standardizing these fields ensures consistent and auditable risk scoring across teams.
Once the inventory is complete, organizations can move on to evaluating which devices pose the highest risks.
Risk Profiling of IoMT Devices
After creating the inventory, the next step is prioritizing devices based on their risk levels. Risk assessment involves considering factors like clinical impact, technical vulnerabilities, exposure, and lifecycle status.
Grouping devices into logical categories simplifies this process. For example, life-supporting devices - like ventilators or medication infusion pumps - should be classified as higher risk compared to outpatient equipment. Clinical context matters: an outage in an ICU has far more serious consequences than one in a routine outpatient setting. Collaborating with clinical stakeholders, such as nurses, physicians, and department leaders, ensures that risk scores align patient safety priorities with technical data.
Using Risk Management Platforms
Traditional spreadsheets for tracking IoMT devices are often outdated and inefficient. A dedicated platform, like Censinet RiskOps™, offers a dynamic solution for managing IoMT risks. It provides a centralized system that ties IoMT devices, their vendors, and third-party services to standardized risk assessments.
These platforms enable collaboration by allowing healthcare organizations and vendors to share remediation plans, document compensating controls, and monitor risk acceptance decisions. As new vulnerabilities arise or device usage changes, risk profiles can be updated in real time, eliminating the need for periodic reviews. Additionally, platforms like this offer cybersecurity benchmarking, helping organizations compare their IoMT risk posture to peers and justify security investments. By integrating medical device risks into broader enterprise and third-party risk processes, tools like Censinet RiskOps™ ensure healthcare organizations maintain an up-to-date, auditable view of their IoMT landscape.
Designing a Secure Network Architecture for IoMT
IoMT Network Segmentation Strategies: Security Levels Compared
Once you've inventoried your devices and assessed risks, the next step is to build a network that prioritizes patient safety. A well-thought-out network design can stop threats in their tracks and prevent a compromised device from causing widespread damage, like a ransomware attacks against healthcare delivery organizations.
Network Segmentation and Isolation
Segmenting your network is a critical step in containing breaches. Assign IoMT devices to dedicated VLANs or microsegmented zones based on their function and risk level. For instance, life-support devices might occupy one zone, imaging systems another, and lab analyzers a third.
Adopt a default-deny policy to restrict communication to only what’s essential. For example, an imaging device connected to a PACS might only be allowed to use DICOM protocols with a specific server - nothing else.
Here are two real-world examples of segmentation in action:
-
Main Line Health, a Philadelphia-based health system, implemented microsegmentation across its 60,000+ devices over 18 months. According to CISO Aaron Weismann, this allows them to instantly sandbox any flagged device, cutting it off from the internal network while maintaining internet access if needed for clinical purposes.
"Microsegmentation helps minimize the blast radius." - Aaron Weismann, CISO, Main Line Health [3]
- Michigan Medicine uses Cisco's Identity Services Engine (ISE) to automate device placement. When an infusion pump is connected, it’s automatically assigned to the appropriate virtual network. If someone tries to connect an unauthorized device, the port shuts down. [3]
Additionally, keep building management systems, like HVAC and elevator controls, on separate network segments from medical devices. These systems are often less secure and could serve as entry points for attackers seeking access to clinical systems. [3]
Once segmentation is in place, you can further enhance security by adopting Zero Trust principles.
Applying Zero Trust Principles to IoMT
Traditional network security relied on the idea of internal trust, but Zero Trust flips that assumption. As defined by NIST:
"Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised." - National Institute of Standards and Technology (NIST) [4]
For IoMT devices, this means requiring continuous identity verification and enforcing least-privilege access. For example, an infusion pump might be granted access to the pharmacy system but blocked from any other network resources, such as financial systems or email servers. [5]
The challenge? Many IoMT devices lack built-in authentication features. A practical solution is to shift identity enforcement to the network layer. Use 802.1X with device certificates to verify identity at the port level, and deploy proxy servers to bridge older devices with modern security protocols. For devices that can’t be updated, hardware security modules can provide encryption and enforce policies without altering the device's software. [4][5]
"Zero Trust architecture is not a single product; it is essentially a mindset. It requires continuous verification, least-privilege access, micro-segmentation, and encryption at every level." - Pete Cannata, COO, Atlantic.Net [5]
Comparing Network Segmentation Strategies
Once segmentation and Zero Trust measures are in place, it’s essential to evaluate which approach works best for your organization. Here’s a comparison of the four main strategies:
| Strategy | How It Works | Security Level | Best For |
|---|---|---|---|
| Flat Network | All devices share a single broadcast domain with no internal boundaries. | Low - breaches can spread easily. [6] | Legacy environments with no segmentation capability (not recommended). |
| VLAN-Based | Devices are grouped logically (e.g., all infusion pumps on one VLAN). | Moderate - reduces broadcast traffic but still allows lateral movement within the VLAN. [2][6] | Organizations starting their segmentation efforts. |
| Microsegmentation | Devices or small clusters are isolated into granular zones. | High - contains breaches to specific zones, limiting damage. [3][7] | Mid-to-large health systems with diverse device ecosystems. |
| Zero Trust | No device is trusted by default; requires continuous verification and least-privilege access. | Highest - assumes the network is already compromised. [6][7] | Organizations with mature security programs and complex IoMT environments. |
The 2021 ransomware attack on Ireland's Health Service Executive (HSE) highlights the risks of poor segmentation. Because their healthcare network lacked proper boundaries, attackers could move laterally across systems. [6] At a minimum, most healthcare organizations should aim for VLAN-based segmentation, with microsegmentation as the next step for high-risk devices.
Hardening IoMT Devices
After implementing strong network segmentation and Zero Trust principles, the next step in securing patient care is to focus on the IoMT devices themselves. While segmentation helps block an attacker's lateral movement, hardening the devices makes it much harder for them to exploit vulnerabilities.
Secure Configuration Practices
Default device settings are almost never secure. Start by documenting all factory settings, such as passwords, ports, and services, to create a secure baseline. Then, disable any ports, protocols, or services that aren't essential for clinical use. The FDA has cautioned that even seemingly minor interfaces can be exploited to install malicious software [1].
Data protection is just as critical as access control. Encrypt all data - whether it's in transit or at rest - and use strong cryptographic standards for firmware and software updates. For secure communication sessions, implement unique, time-stamped session identifiers that are hard to predict. Maintaining a Software Bill of Materials (SBOM) for each device is also crucial. An SBOM provides transparency into third-party components and libraries, allowing your team to address vulnerabilities proactively.
Authentication and Access Control
Weak or shared credentials are a frequent entry point for attackers. In fact, human error - like stolen credentials or misconfigured systems - accounts for around 90% of all cyber incidents [8]. To mitigate this risk, enforce unique, regularly updated passwords for every connected device. Additionally, implement Multi-Factor Authentication (MFA) for any interface used to manage device settings.
Role-Based Access Control (RBAC) is another key measure. It ensures that only authorized personnel have access to critical systems, limiting technical privileges based on roles. Mobile Device Management (MDM) platforms can further enhance security by centralizing policy enforcement, monitoring device health, detecting unusual activity, and enabling remote lock or wipe capabilities if a device is lost or compromised. The March 2026 cyberattack on Stryker highlighted the importance of strong internal controls - when a vendor becomes unresponsive, organizations cannot afford to rely solely on external support [8].
Finally, tackling critical medical device security risks like patching and managing legacy devices is essential to completing your device hardening strategy.
Patching and Managing Legacy Devices
While regular patching seems simple in theory, it can be challenging in practice - especially in healthcare, where taking devices offline can disrupt patient care. To address this, prioritize patches based on risk and coordinate updates with clinical teams to minimize impact.
Legacy devices, however, present a unique challenge. Many older IoMT devices run outdated operating systems that are no longer supported by manufacturers, making traditional patching impossible. For these devices, compensating controls are the best option. Strengthen network segmentation around the device, limit communications to only essential protocols and servers, and use hardware security modules to enforce encryption and access policies without modifying the device's software. The FDA has made it clear that even minimally connected devices, such as those with USB-only interfaces, are considered "cyber devices" and must meet cybersecurity standards [1]. Simply being offline does not exempt a device from security requirements.
| Risk Level | Access Type | Authentication Strength |
|---|---|---|
| Negligible | Physical, long-term contact required | Multiple independent MFA factors |
| Minor | Temporary physical access | Multi-factor (e.g., password + PIN) |
| Moderate | Private hospital network (LAN) | Single-factor authentication |
| High | Local/short-range (e.g., Bluetooth) | Weak credentials (e.g., short PIN) |
| Very High | Remote access via the internet | No authentication or protections |
This framework can help you prioritize which devices need immediate attention. Devices accessible over the internet without proper authentication pose the greatest risk - a situation that is more common in hospitals than many might expect.
Continuous Monitoring and Vulnerability Management
Hardening devices and segmenting your network are just the beginning. IoMT security is a continuous process because risks keep evolving. Ongoing monitoring is essential to catch threats early and respond effectively.
Monitoring IoMT Device Behavior
Start by defining baseline behavior for each device. Group devices based on their type, model, location, and clinical role. A baseline should include details like which internal systems the device communicates with, how often it connects, the ports and protocols it uses, and whether it interacts with external vendor services.
Once you establish this baseline, you can detect anomalies. For instance, an infusion pump suddenly connecting to an unknown external IP, a patient monitor using an unexpected port, or a device generating unusual traffic levels are all red flags. Passive network monitoring, using tools like network taps and SPAN ports, is ideal for most IoMT environments. Many devices can't handle traditional endpoint agents or frequent reboots, so passive monitoring ensures full visibility without interfering with the device.
Keep your baselines up to date. Changes like firmware updates, device relocations, or workflow adjustments can make old baselines inaccurate, leading to false positives and undermining trust in your alerting system.
While monitoring behavior is critical, regular vulnerability assessments are equally important to validate device security.
Running Safe Vulnerability Assessments
Active scanning can disrupt sensitive devices, so it's crucial to coordinate with clinical teams to establish safe scanning protocols. Work with clinical engineering and biomedical teams to determine which devices can handle scanning, the appropriate intensity, and suitable maintenance windows. High-risk devices should be tested in controlled environments, and always follow vendor-approved methods for scanning.
When deciding what to remediate, don't rely solely on technical severity. A device with a high CVSS score but limited connectivity might be less urgent than a moderately vulnerable device directly involved in patient care. Consider factors like exploitability, exposure, clinical importance, and existing controls when setting priorities. For legacy devices or those that can't be patched quickly, tighten network segmentation, restrict communications to necessary endpoints, and document the exception with a clear owner and timeline.
Integrating these assessments into your broader risk management framework ensures nothing falls through the cracks.
Connecting Monitoring to Risk Management Processes
To make the most of continuous monitoring and vulnerability assessments, integrate alerts into your risk management process. This involves linking telemetry to your asset inventory, assigning ownership, tracking remediation progress, and documenting exceptions and compensating controls - all in a centralized system, not scattered across spreadsheets or ticketing tools.
This is where platforms like Censinet RiskOps™ can make a big difference. Such tools centralize risk assessments, cybersecurity benchmarking, and collaborative tracking for medical devices, vendors, and clinical environments. For example, when monitoring detects a vulnerable device, the alert can be tied directly to the device's risk profile, assigned owner, and governance decisions. Instead of leaving the alert in an isolated security tool, it becomes part of a closed-loop process: discover, baseline, detect, assess, prioritize based on clinical impact, and route findings to the right people with the right context. This approach ensures that your monitoring efforts are directly connected to inventory management and risk profiling, making your security strategy more actionable and efficient.
Governance and Lifecycle Management for IoMT Security
Strong governance is the backbone of effective IoMT security. While asset tracking and risk management are critical, they only succeed with a well-defined governance structure. Without clear roles and processes, even the most advanced technical measures can falter over time.
Setting Up IoMT Security Governance
Start by establishing a cross-functional governance committee. This group should include representatives from clinical engineering, biomedical teams, IT security, compliance, privacy, procurement, and risk management. Why? Because IoMT risk touches on several areas: patient care, device operations, and enterprise cybersecurity.
This committee should oversee key responsibilities like policy approvals, risk acceptance, handling exceptions, and escalating incidents. To ensure effectiveness, it’s crucial to have senior leadership sponsorship - from roles like the CIO, CISO, or CMIO. Without executive backing, decision-making around IoMT risks can become fragmented or delayed. According to a 2022 Ponemon Institute report, 89% of healthcare delivery organizations experienced at least one cybersecurity incident involving IoMT or IoT devices in the previous two years. Yet, only about one-third of U.S. hospitals report strong coordination between biomedical and IT security teams.
Aligning your governance program with established frameworks like the NIST Cybersecurity Framework (CSF) and the HSCC Medical Device and Health IT Joint Security Plan (JSP) can provide a structured approach. These frameworks cover key risk management areas: identifying, protecting, detecting, responding, and recovering.
Once governance is in place, the focus should shift to managing vendor risks and securing the entire lifecycle of IoMT devices.
Managing Vendor and Third-Party Risk
IoMT vulnerabilities often stem from external sources, such as device manufacturers, cloud dashboards, or remote monitoring services. A 2023 HIMSS cybersecurity survey revealed that while 75% of U.S. provider organizations conducted third-party risk assessments, only 36% consistently applied them to all high-risk vendors. This gap leaves room for potential security breaches.
Vendor risk management begins before procurement. Include cybersecurity requirements directly in RFPs and contracts, addressing areas like:
- Patch timelines and vulnerability disclosures
- Software Bills of Materials (SBOMs)
- Remote access controls
- End-of-support dates
- Breach notification terms
Remote access - a frequent entry point for attackers - should be tightly controlled. Use methods like time-limited access, detailed logging, VPNs with multifactor authentication, or jump hosts. Access should be disabled when not actively needed.
Tools like Censinet RiskOps™ can simplify this process. They centralize vendor and enterprise risk assessments, track remediation efforts, and benchmark cybersecurity across your vendor ecosystem. This eliminates the need for scattered spreadsheets, allowing for a more streamlined approach.
A strong vendor risk program naturally supports secure lifecycle management for IoMT devices, ensuring protection from acquisition to decommissioning.
Securing the Full Device Lifecycle
Managing the entire lifecycle of IoMT devices is critical to maintaining security. Gaps often arise at key points: when devices are hastily installed, moved between departments without proper tracking, or retired without removing sensitive data or network access.
During onboarding, take these steps to ensure security:
- Verify security reviews and approvals
- Assign ownership
- Update the asset inventory
- Segment the device on the network
- Enforce baseline configurations
- Activate monitoring
Capture essential metadata like firmware version, manufacturer support dates, connectivity type, and whether the device handles PHI. This information will be valuable throughout the device's lifecycle.
During operations, implement a structured patch process involving IT security, biomedical, and clinical teams. Record any exceptions, assign an owner, and set a review date. For legacy or unsupported devices that can’t be patched, use compensating controls such as isolating the device, restricting its communications, and planning for its replacement.
At decommissioning, follow these steps to close security gaps:
- Sanitize all stored data
- Revoke credentials
- Remove the device from network segments
- Update the inventory to reflect its removal
Conclusion: Making IoMT Security a Priority for Patient Safety
Securing IoMT (Internet of Medical Things) devices is no longer just about protecting data - it’s about protecting lives. The stakes are incredibly high, with 70% of healthcare organizations reporting that cyberattacks have disrupted patient care, and ransomware incidents in 2023 contributing to a 28% increase in mortality rates [10]. These statistics highlight the life-or-death consequences of neglecting device security.
As outlined earlier, a unified, multi-layered approach is critical. The strategies discussed work together as a system - ignoring even one creates vulnerabilities that attackers are quick to exploit. With 53% of medical devices still harboring known, unpatched vulnerabilities [10], relying on a single solution simply isn’t enough.
"Medical device security has transformed from a niche technical concern to a critical pillar of patient safety and operational resilience." - Phil Englert, Director of Medical Device Security, Health-ISAC [9]
Regulatory requirements are also tightening, leaving no room for complacency. The FDA’s Section 524B mandates, for example, require manufacturers to provide SBOMs (software bills of materials), post-market cybersecurity plans, and patching commitments for any device classified as a "cyber device." Healthcare delivery organizations must demand this documentation from vendors and hold them accountable for non-compliance. Tools like Censinet RiskOps™ simplify this process by centralizing third-party vendor risk management and ensuring compliance across your entire device network.
To truly safeguard patients, every connected device must be accounted for, monitored, and managed throughout its lifecycle - from onboarding to eventual decommissioning. Consistent application of these practices not only protects lives but also ensures your organization stays compliant with U.S. regulations.
FAQs
What’s the fastest way to find every IoMT device on my network?
The quickest method to spot IoMT devices involves passive network monitoring and agentless discovery tools. These tools examine network traffic to identify and classify devices without interfering with delicate medical equipment. By utilizing network telemetry and flow logs, you gain real-time insights into both current and older assets. Tools like Censinet RiskOps™ bring all this data together, simplifying risk assessments and helping ensure compliance with regulations.
How do we secure legacy devices that can’t be patched?
For legacy devices that can't be patched, focus on compensating controls to manage risk effectively. Implementing a Zero Trust Architecture ensures every connection is verified and security is enforced at the infrastructure level. Use network segmentation and micro-segmentation to isolate these devices, minimizing the potential impact of a breach.
Also, enforce least-privilege access to restrict unnecessary permissions, continuously monitor network activity for any unusual behavior, and use virtual patching as a temporary safeguard. While these measures help mitigate risks, it's important to prepare for replacing these devices in the future.
How can we detect abnormal IoMT device behavior without disrupting patient care?
To identify abnormal behavior in IoMT devices while ensuring patient care remains uninterrupted, focus on passive monitoring methods. Techniques like SPAN or TAP allow you to observe network traffic without directly interacting with the devices. If device logging isn’t an option, use network telemetry and flow logs to gather more insights. Consolidate this data in security analytics platforms to automatically flag anomalies, such as unexpected protocols or suspicious communication patterns. Tools like Censinet RiskOps™ can further simplify assessments and manage risks effectively.
