Minimizing the Risk of IoMT Device Vendors in Healthcare
By: Venminder Experts on July 25 2023
6 min read
The Internet of Medical Things (IoMT) is transforming healthcare. More and more people use these devices to monitor their health remotely, but with this explosion of growth comes new risks that can put patient safety in danger. In the past, regulatory policies and legislation regarding data security and privacy slowed the use of IoMT devices in the healthcare industry, but with the COVID-19 pandemic, approvals were fast-tracked to allow IoMT usage.
The increase in remote medical assistance was triggered by overcrowded health facilities and COVID-19 limits on in-person appointments. The genie is out of the bottle, and the use of IoMT devices is rapidly growing. A 2022 EMR report estimates that over $400 billion will be spent on IoMT devices by 2027, up from $177.64 billion in 2021.
What Is Internet of Medical Things in Healthcare
IoMT is a network of connected devices that can exchange and analyze data over the internet, such as sensors, medical equipment, and diagnostic devices. The use of IoMT-enabled devices offers many benefits to patients, their families, doctors, hospitals, and insurance companies. By leveraging IoMT technology, healthcare providers and patients can improve communication, reduce healthcare costs, and deliver remote treatment.
The Risks Presented to Healthcare When Using IoMT
There are substantial risks associated with IoMT. Healthcare organizations must be aware of the risks and actively work to monitor and mitigate them. Here are some of the risks involved with IoMT:
- Cybersecurity risk – The healthcare sector generates more personal data than any other industry. With so much personal information stored and processed, it should be no surprise that hospitals and other healthcare institutions are popular targets for ransomware attacks. In healthcare, cyberattacks can mean life or death.
- Regulatory risk – It's also now become a regulatory issue. In October 2023, the U.S. Food & Drug Administration’s (FDA) the Consolidated Appropriations Act will take effect. The regulation bans the sale of any IoMT devices that don’t meet cybersecurity requirements. All new IoMT device applicants must have a plan for how they’ll monitor, identify, and address cybersecurity risks. Security updates and patches must have a regular schedule and all software components used in the devices must be disclosed.
- Reputational risk – All it takes is one incident with IoMT devices to damage your patients’ trust. Anything from a data breach, an attack on an IoMT device, or even a hefty regulatory fine can leave your healthcare organization’s reputation in shreds.
Knowing how to minimize the risks involved with all your IoMT devices and vendors can be overwhelming. That's where third-party risk management can help.
How Third-Party Risk Management Can Help Reduce IoMT Device Risk
Third-party risk management is the practice of identifying, assessing, managing, and monitoring vendor risks. Organizations that implement and execute third-party risk management properly can avoid unnecessary risks stemming from vendor relationships, including those involving medical equipment and devices.
Following the third-party risk management lifecycle is the best way to systematically identify and manage vendor risks throughout the duration of the vendor relationship. The lifecycle includes:
- Onboarding: This includes assessing the vendor’s inherent risk and criticality so you can perform risk-based due diligence. Once you select the vendor, you’ll then begin to draft the contract.
- Ongoing: This involves re-assessments, periodic due diligence, monitoring risk and performance, and anything else necessary to stay on top of new or emerging vendor risk brought from outsourcing an IoMT device.
- Offboarding: This marks the official end of the vendor relationship and termination of the contract. It’s important to follow your exit place and perform any final third-party risk management activities.
From risk assessments and due diligence to ongoing performance monitoring, the third-party risk management lifecycle will help your healthcare organization perform the right risk management activities at the right time and in the proper order.
Tip: A third-party risk management software tool can eliminate cumbersome and inaccurate spreadsheets and help you manage and share relevant information with various stakeholders throughout the third-party risk management lifecycle.
7 Steps to Use Third-Party Risk Management to Reduce the Risk of IoMT
Integrating Internet of Medical Things (IoMT) devices into your existing third-party risk management program should be a priority for your healthcare organization. As IoMT devices become more prevalent in healthcare environments, it’s crucial to recognize their unique risks and vulnerabilities and address them within your overall risk management strategy.
To effectively manage the risks associated with IoMT devices, follow the steps below:
- Ensure the third-party risk management policy includes IoMT devices. Work with senior management and the board to review and update your organization's third-party risk management policy to explicitly address IoMT devices, outlining specific requirements and guidelines for assessing and managing the associated risks.
- Compile a complete inventory of your organization's IoMT ecosystem. This will likely require some detective work and cross-functional collaboration. Understanding where to look for IoMT vendors will help you prioritize and organize your inventory. According to the type of use and end user, the medical IoMT market can be classified into the following segments:
- Physiologic monitoring: These devices passively monitor signals originating from the patient's body, including wearable and indigestible devices.
- Medical treatment: These devices actively participate in patient treatment, such as implantable medical devices (IMDs) and infusion pumps.
- In-hospital connected: This category includes devices positioned within a hospital environment, like institutional medical devices and surgical robotics.
- Ambient: These devices support various treatment processes, such as patient identification, movement detection, and sensors.
- Perform risk assessments. Conduct comprehensive risk assessments to identify potential vulnerabilities and threats associated with IoMT devices. Consider factors like device functionality, data transmission, interoperability, and potential impact on patient safety.
- The International Medical Device Regulators Forum (IMDRF) Software as a Medical Device Working Group has published a possible risk categorization framework for software as a medical device. The recommendations in this document can be useful to identify the risk categories linked to IoMT devices and inform vendor risk assessments. The ISO 14971:2019 also has detailed best practices for creating risk frameworks for IoMT devices.
- Assess vendor security practices. Evaluate the security measures implemented by IoMT device vendors, such as encryption, access controls, software patching, and vulnerability management processes, as part of your vendor assessment activities. You’ll also need to ensure that they follow the new FDA guidelines.
- Evaluate data handling procedures. Examine how IoMT vendors handle patient data and ensuring they have appropriate data protection mechanisms in place, including encryption, access controls, and data retention policies.
- Implement security controls. Develop and enforce specific security controls tailored to IoMT devices to mitigate identified risks. These controls may include network segmentation, secure configurations, intrusion detection systems, and secure remote access protocols.
- Establish monitoring and incident response capabilities. Set up robust monitoring systems to detect anomalies or suspicious activities related to IoMT devices. Also, establish incident response procedures to promptly address and mitigate any security incidents. Review your IoMT vendor’s disaster recovery plans to ensure that they also have a plan to quickly address incidents.
Due to the rapid adoption of IoMT, cybercriminals are increasingly targeting healthcare organizations. An effective third-party risk management program is essential to creating a healthy and secure IoMT ecosystem. Third-party risk management can help your organization identify current and potential risks and develop plans to mitigate those risks. Third-party risk management processes can also enhance vendor relationships by providing visibility into vendor activities and ensuring compliance with industry standards.
This can reduce risks, improve efficiency, and minimize costs. Incorporating IoMT devices into your third-party risk management program is vital to avoid unnecessary vendor risk events, protect patient safety, and create a more secure environment.
Related Posts
Vendor Risk Management Requirements of NERC CIP-013-1
Energy organizations rely on complex supply chains worldwide, which can expose them to third-party...
12 Ongoing Monitoring Best Practices for Third-Party Risk Management
The third-party risk oversight process doesn't end when the contract is signed. Your third parties’...
Cybersecurity in Healthcare: Why Healthcare Providers Need to Vet Outsourced Vendors
As healthcare organizations outsource more products and services from various business associates...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.