Skip to main content

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Healthcare and Public Health Sector Advisory Bulletin

Cybersecurity Edition

December 18, 2024

The Healthcare and Public Health (HPH) Sector Advisory Bulletin is produced by the Office of Cybersecurity and Infrastructure Protection (OCIP) within the U.S. Department of Health and Human Services' (HHS) Administration for Strategic Preparedness and Response (ASPR).

Protecting Healthcare Operational Technology and Internet of Medical Things Against Cyber Threats

Purpose and Background


This bulletin offers recommendations for safeguarding operational technology (OT) and the internet of medical things (IoMT), commonly known as connected medical devices, within the healthcare sector from cybersecurity threats. These devices play a crucial role in numerous vital operational activities, such as patient care, product manufacturing, facility management, and data collection. Nevertheless, their outdated software, inadequate cybersecurity measures, and poor integration with IT infrastructures render them attractive targets for cyber threat actors.

Threat actors may exploit critical vulnerabilities in OT and the IoMT to interfere with healthcare services, jeopardize patient information, and threaten patient safety. This advisory aligns with recognized cybersecurity frameworks and best practices within the ongoing cybersecurity initiatives of HHS and the Healthcare and Public Health (HPH) sectors, aimed at safeguarding healthcare OT and IoMT from cyber threats.

Audience


This bulletin is intended for owners, operators, Information Technology (IT) administrators, as well as operations and security teams responsible for managing OT and IoMT within healthcare environments.

Understanding Operational Technology, Internet of Medical Things, and Embedded Technologies


As outlined in NIST SP 800-82 Rev 3, OT encompasses the hardware and software systems utilized to monitor or manage physical processes, devices, or infrastructure. OT systems play a crucial role in various sectors, including healthcare, where their main function is to guarantee the safe and efficient functioning of healthcare systems. The IoMT represents a specific category of OT, consisting of IoMT and applications that interface with healthcare IT systems via networks. Common OT and IoMT systems can include:

Distributed Control Systems (DCS): Found in industrial environments like chemical processing plants, used to control production processes.

1. Programmable Logic Controllers (PLCs): Used to automate tasks, such as controlling machinery in factories.

2. Building Management Systems (BMS): Regulate and monitor building operations, such as heating, ventilation, and air conditioning (HVAC).

3. Industrial Internet of Things (IIoT) Devices: Devices that collect and transmit data to improve decision-making and operational efficiency.

4. Supervisory Control and Data Acquisition (SCADA) Systems: Used to monitor and control large-scale processes, such as utilities and water treatment plants.

Connected Medical Devices are designed for clinical use and network connectivity. Examples include:

1. Infusion Pumps: Deliver fluids and medications in controlled amounts.

2. Imaging Systems: MRI machines, CT scanners, and X-rays connected to networks for data sharing and diagnostics.

3. Wearable Health Monitors: Devices like continuous glucose monitors and heart rate monitors.

4. Pacemakers and Implantable Devices: Wireless-enabled devices for monitoring and managing patient conditions.

Common Cyber Security Vulnerabilities and Threats of OT and IoMT


The integration of OT and IoMT systems and devices greatly improves operational efficiency and patient care; however, this integration with IT networks also heightens the risk of cybersecurity threats. OT and IoMT are subject to numerous inherent cybersecurity vulnerabilities, which, if exploited, can lead to significant operational risks. Vulnerabilities include:

1. The technological constraints of OT and IoMT devices hinder the adoption of robust security measures, including encryption, advanced communication protocols, and threat detection capabilities. Consequently, these devices are susceptible to manipulation by malicious actors who may take advantage of insecure network traffic to access data or exploit hardcoded or default passwords.

2. OT and IoMT often operate within outdated environments, which include firmware, software, or hardware that may receive little to no support from vendors. This lack of support exacerbates the challenges associated with applying patches and addressing known vulnerabilities. Consequently, these vulnerabilities can be exploited to obtain unauthorized access to systems, potentially leading to the compromise of sensitive data or interruptions in operations.

3. A significant number of OT devices frequently come with default credentials, some of which are hardcoded by the manufacturer. Cybercriminals exploit these weak or default credentials to gain unauthorized access to systems. Furthermore, the lack of role-based access control (RBAC) leads to excessive user privileges, increasing the potential for insider threats.

4. Inadequate integration with current IT systems presents considerable risks to the organization. The security weaknesses found in numerous OT and IoMT devices, including insufficient authentication measures, unencrypted data transmissions, outdated firmware, and insecure network services, can serve as potential gateways for cybercriminals. This situation may allow them to move laterally within the network, which can jeopardize sensitive information stored within the larger IT infrastructure.

5. Insufficient physical security protocols, such as locks, access controls, and tamper-evident packaging, allow for unauthorized physical entry to OT and IoMT. By improving the security features of these devices, organizations can diminish the chances of tampering, theft, and physical attacks.

Operational Technology and Internet of Medical Things Cyber Risk Mitigation Recommendations


Cybersecurity threats associated with OT and IoMT include risks such as data breaches, disruptions to critical operations, dangers to patient safety, unauthorized access to IoMT, and the potential alteration of sensitive patient data. These vulnerabilities frequently stem from insufficient security protocols in these devices and systems, making them especially vulnerable to cyberattacks. Healthcare organizations that employ OT and IoMT should establish a robust cybersecurity and risk management strategy that addresses all stages of the System Development Life Cycle (SDLC), which includes planning, analysis, design, development, testing, implementation, and maintenance.  NIST SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security, provides detail guidance on how to secure OT while addressing their unique performance, reliability, and safety requirements. Below are several recommended actions aimed at reducing the cyber risks associated with OT and IoMT devices:

1. Asset Inventory and Lifecycle Management:  Organizations are required to uphold a thorough inventory of all devices, encompassing Software Bill of Materials (SBOM), information such as device type, serial number, location, network connectivity, firmware version, and any other pertinent details necessary for the effective tracking and management of these connected devices. This is typically achieved through a centralized platform that allows for real-time monitoring of their status and performance. It is essential to regularly update the inventory to accurately represent changes within the environment and to oversee devices throughout their entire lifecycle, from acquisition to decommissioning.

2. Integrate the deployment of OT and IoMT into the enterprise Risk Management Program: Organizations should implement a threat-based risk identification and management approach focused on OT and IoMT. This includes continuous monitoring, vulnerability management, and alignment with established industry frameworks such as NIST 800-37.

3. Use Network Micro-Segmentation: Use Network Micro-Segmentation to divide Operational Technology OT and IoMT networks into extremely small, isolated segments, allowing for highly granular control over network access and data flow within the OT environment OT By dividing critical devices into separate network segments, organizations can limit lateral movement by potential attackers, enforce least privilege access, and detect unusual activities. For more information on implementation, refer to HPH Cybersecurity Performance Goals (CPGs) Enhanced Goals ID-17, 6.M.B, NIST 800-82 Section 6.2.3 for OT network segmentation and CISA OT Principle 4.

4. Restrict remote access to OT and IoMT:  Limit remote access to OT and IoMT devices by utilizing secure, encrypted VPN traffic combined with multi-factor authentication. This strategy obscures network information and mitigates the risk of unauthorized access from threats such as ARP spoofing, man-in-the-middle attacks, or data interception. For further details, please consult HPH CPG Essential Goals ID-9, 3.M.D, and NIST 800-82​ Section 5.3.4 regarding access management.

5. Manage Supply Chain Risk by Vetting third-party vendors with access to OT systems, require a SBOM, and implement strict vendor access protocols. Ensure OT and connected medical device acquisitions meet appropriate cybersecurity acquisition requirements for private and public sector. For more information, refer to: NIST ​800-161 for s​upply chain risk management, and CISA OT Principle 5.

6. Regular Firmware and Software Updates: Ensure that firmware and software updates are regularly applied to OT and IoMT to minimize security vulnerabilities. Establish vendor relationships to guarantee the availability of updates and patches. For more information, refer to NIST Special Publication 800-53 Revision 4: SI-2 (5) and NIST 800-82 Section 5.5.2 for patch management in OT environments.

7. Secure Wireless Signal Transmission: Safeguard wireless signals and data transfers according to the risk associated with the device, making certain that the level of protection is appropriate for possible threats to patients and data in case of a security compromise. For more information, refer to HPH CPG Essential Goals ID-1, 5.L.D; NIST 800-82.

Conclusion

Securing OT and IoMT equipment across the HPH sector requires a proactive risk-management approach rooted in cybersecurity best practices. By implementing these recommendations, healthcare organizations can significantly reduce cyberattack risks, safeguard operational integrity, and protect patient data. Adopting these measures will enhance trust in healthcare's resilience against evolving cyber threats and contribute to the confidentiality, integrity, and availability of healthcare services.

References

1. National Institute of Standards and Technology (NIST). (2023). NIST Special Publication 800-82 Revision 3: Guide to Operational Technology (OT) Security. Retrieved from https://doi.org/10.6028/NIST.SP.800-82r3


2. U.S. Department of Health and Human Services (HHS). (2023). Healthcare and Public Health Cybersecurity Performance Goals. Retrieved from HHS Cybersecurity

3. FDA Cybersecurity in Medical Devices Frequently Asked Questions

4. NIST. (2020). NIST Special Publication 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations. Retrieved from https://doi.org/10.6028/NIST.SP.800-37r2

5. Australian Cyber Security Centre (ACSC). (2020). OT Cybersecurity Principles. Retrieved from https://www.cisa.gov/resources-tools/resources/principles-operational-technology-cyber-security 

6. U.S. Department of Energy (DOE). (2021). Cybersecurity for the Industrial Control Systems: A Guide for the Energy Sector. Retrieved from https://www.energy.gov

7. HealthIT.gov. (2023). Strategies for Securing Health IT Systems. Retrieved from https://www.healthit.gov

8. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of trustworthy Secure Systems. Retrieved from https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final

9. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2022. (2022). Information security, cybersecurity, and privacy protection — Information security management systems — Requirements. Retrieved from ISO​/IEC 27001.

Subscribe to HPH Sector Bulletins

Did a colleague forward you this HPH Sector Bulletin? HPH Sector bulletins inform stakeholders about the most significant issues facing the sector including cybersecurity, medical supply chains, COVID-19, and more. If you are interested in receiving HPH Sector bulletins, visit the CIP bulletins subscription webpage.

Comments and Questions

If you have any additional questions, we encourage you to contact us at hhscyber@hhs.gov.

 

TLP: CLEAR information may be distributed without restriction.

Disclaimer: ASPR provides the above sources of information for the convenience of the HPH Sector community and is not responsible for the availability or content of the information or tools provided, nor does ASPR endorse, warrant or guarantee the products, services or information described or offered. It is the responsibility of the user to determine the usefulness and applicability of the information provided. 

U.S. Department of​ Health & Human Services, Office of the Administration for Strategic Preparedness & Response

200 C Street, SW
Washington, DC 20024