Minimizing the Risk of IoMT Device Vendors in Healthcare

The Internet of Medical Things (IoMT) is transforming healthcare. More and more people use these devices to monitor their health remotely, but with this explosion of growth comes new risks that can put patient safety in danger. In the past, regulatory policies and legislation regarding data security and privacy slowed the use of IoMT devices in the healthcare industry, but with the COVID-19 pandemic, approvals were fast-tracked to allow IoMT usage.

The increase in remote medical assistance was triggered by overcrowded health facilities and COVID-19 limits on in-person appointments. The genie is out of the bottle, and the use of IoMT devices is rapidly growing. A 2022 EMR report estimates that over $400 billion will be spent on IoMT devices by 2027, up from $177.64 billion in 2021.

What Is Internet of Medical Things in Healthcare

IoMT is a network of connected devices that can exchange and analyze data over the internet, such as sensors, medical equipment, and diagnostic devices. The use of IoMT-enabled devices offers many benefits to patients, their families, doctors, hospitals, and insurance companies. By leveraging IoMT technology, healthcare providers and patients can improve communication, reduce healthcare costs, and deliver remote treatment. 

The Risks Presented to Healthcare When Using IoMT

There are substantial risks associated with IoMT. Healthcare organizations must be aware of the risks and actively work to monitor and mitigate them. Here are some of the risks involved with IoMT: 

• Cybersecurity risk – The healthcare sector generates more personal data than any other industry. With so much personal information stored and processed, it should be no surprise that hospitals and other healthcare institutions are popular targets for ransomware attacks. In healthcare, cyberattacks can mean life or death.
• Regulatory risk – It's also now become a regulatory issue. In October 2023, the U.S. Food & Drug Administration’s (FDA) the Consolidated Appropriations Act will take effect. The regulation bans the sale of any IoMT devices that don’t meet cybersecurity requirements. All new IoMT device applicants must have a plan for how they’ll monitor, identify, and address cybersecurity risks. Security updates and patches must have a regular schedule and all software components used in the devices must be disclosed. 
• Reputational risk – All it takes is one incident with IoMT devices to damage your patients’ trust. Anything from a data breach, an attack on an IoMT device, or even a hefty regulatory fine can leave your healthcare organization’s reputation in shreds. 

Knowing how to minimize the risks involved with all your IoMT devices and vendors can be overwhelming. That's where third-party risk management can help. 

7 Steps to Use Third-Party Risk Management to Reduce the Risk of IoMT

Integrating Internet of Medical Things (IoMT) devices into your existing third-party risk management program should be a priority for your healthcare organization. As IoMT devices become more prevalent in healthcare environments, it’s crucial to recognize their unique risks and vulnerabilities and address them within your overall risk management strategy.

To effectively manage the risks associated with IoMT devices, follow the steps below:

1. Ensure the third-party risk management policy includes IoMT devices. Work with senior management and the board to review and update your organization's third-party risk management policy to explicitly address IoMT devices, outlining specific requirements and guidelines for assessing and managing the associated risks.
2. Compile a complete inventory of your organization's IoMT ecosystem. This will likely require some detective work and cross-functional collaboration. Understanding where to look for IoMT vendors will help you prioritize and organize your inventory. According to the type of use and end user, the medical IoMT market can be classified into the following segments:
   
   • Physiologic monitoring: These devices passively monitor signals originating from the patient's body, including wearable and indigestible devices.
   • Medical treatment: These devices actively participate in patient treatment, such as implantable medical devices (IMDs) and infusion pumps.
   • In-hospital connected: This category includes devices positioned within a hospital environment, like institutional medical devices and surgical robotics.
   • Ambient: These devices support various treatment processes, such as patient identification, movement detection, and sensors.
3. Perform risk assessments. Conduct comprehensive risk assessments to identify potential vulnerabilities and threats associated with IoMT devices. Consider factors like device functionality, data transmission, interoperability, and potential impact on patient safety. 
   
   • The International Medical Device Regulators Forum (IMDRF) Software as a Medical Device Working Group has published a possible risk categorization framework for software as a medical device. The recommendations in this document can be useful to identify the risk categories linked to IoMT devices and inform vendor risk assessments. The ISO 14971:2019 also has detailed best practices for creating risk frameworks for IoMT devices.
4. Assess vendor security practices. Evaluate the security measures implemented by IoMT device vendors, such as encryption, access controls, software patching, and vulnerability management processes, as part of your vendor assessment activities. You’ll also need to ensure that they follow the new FDA guidelines. 
5. Evaluate data handling procedures. Examine how IoMT vendors handle patient data and ensuring they have appropriate data protection mechanisms in place, including encryption, access controls, and data retention policies.
6. Implement security controls. Develop and enforce specific security controls tailored to IoMT devices to mitigate identified risks. These controls may include network segmentation, secure configurations, intrusion detection systems, and secure remote access protocols.
7. Establish monitoring and incident response capabilities. Set up robust monitoring systems to detect anomalies or suspicious activities related to IoMT devices. Also, establish incident response procedures to promptly address and mitigate any security incidents. Review your IoMT vendor’s disaster recovery plans to ensure that they also have a plan to quickly address incidents. 

Due to the rapid adoption of IoMT, cybercriminals are increasingly targeting healthcare organizations. An effective third-party risk management program is essential to creating a healthy and secure IoMT ecosystem. Third-party risk management can help your organization identify current and potential risks and develop plans to mitigate those risks. Third-party risk management processes can also enhance vendor relationships by providing visibility into vendor activities and ensuring compliance with industry standards. 

This can reduce risks, improve efficiency, and minimize costs. Incorporating IoMT devices into your third-party risk management program is vital to avoid unnecessary vendor risk events, protect patient safety, and create a more secure environment.