Medical devices have a profoundly positive impact on the quality of healthcare. Whether stationary, bedside or portable, they improve patient experience and outcomes, accelerate recovery times and minimize readmissions. At the same time, these connected and unprotected endpoints are putting healthcare networks and patients at substantial risk, as patient identity theft remains both lucrative and relatively easy to exploit. And ransomware is a simple and safe way for hackers to profit.
The WannaCry attack reminds us of the danger and disruption of cybercrime in the healthcare industry. The British NHS was hit especially hard when CT and MRI machines were disabled. According to The Register, “WannaCry hit 34 per cent of health trusts in England, although the full extent of the disruption and financial impact is unknown. Thousands of appointments and operations were cancelled and in five regions of the UK patients had to travel further to accident and emergency departments”.
To put it into perspective, hospitals may have 10-15 network connected devices per bed. Infusion pumps, implantable devices, radiation equipment, dialysis machines, blood gas analyzers and more—and all are effective in doing what they are designed to do. However, the majority of these devices are also entrusted to do what they weren’t designed to do—protect patient information and the patients themselves from cyberattacks.
In the 2017 Medical Device Security Report, the Ponemon Institute reports a significant lack of confidence in the security of network connected medical devices (IoMT). Yet device manufacturers and Healthcare Delivery Organizations (HDOs) are remarkably unmoved by the cybersecurity vulnerabilities of the medical devices they develop and deploy. Incredibly, 67% of developers surveyed believe a cyberattack is likely via the IoMT devices built by their organization. It’s alarming that only 17% of these developers report that they are taking actions to protect their products from attacks. Healthcare InfoSec teams should be on high alert. With 56% of HDO respondents believing an attack is likely, why do only 22% have an incident plan in place?
- The rush to release products and minimize costs means product development teams are not likely to have effective security practices in place.
- Medical devices contain vulnerable code due to lack of quality assurance and testing procedures.
- Accountability for the security of IoMT devices and their deployment by manufacturers and HDOs is lacking.
- Many of these devices are inherently difficult to secure. And there’s little confidence that built-in security architecture and protocols can provide protection.
- While FDA guidelines are designed to mitigate and reduce inherent IoMT security risks, they are not necessarily embraced by developers or HDOs.
Case in Point
In a post about pacemaker vulnerabilities, Whitescope IO outlined its research discoveries after examining 7 different pacemaker programmers from 4 manufacturers. They found:
- Over 8,000 known vulnerabilities in 3rd party libraries across 4 different pacemaker programmers from 4 manufacturers, highlighting an industry-wide issue associated with software security updates.
- Patient care influences cybersecurity posture. Pacemaker programmers do not authenticate to specific pacemaker devices. This means that any pacemaker programmer can reprogram any pacemaker from the same manufacturer. Nor do they require physicians to authenticate to the programmer.
- All pacemaker systems had unencrypted filesystems on removable media.
- These systems are meant to be returned to the manufacturer after use by a hospital, yet anyone, including hackers can purchase them on auction websites such as EBay.
Are the red flags raising yet? There are more examples. British and Belgian researchers recently found security flaws in the proprietary communication protocols of new generation, implantable cardiac defibrillators. You can read the details here. Net net, HDOs should be highly concerned with the industry’s lack of action to protect patients and users of medical devices.
Reducing Your Risks
There are, of course, solutions and best practices that HDOs can and should deploy to gain more visibility into vulnerable IoMT devices, respond when network breaches do occur, mitigate risks and ultimately protect the privacy and safety of patients and clinicians.
- Acquire the ability to discover or see every networked device regardless of type. This includes traditional endpoints, such as laptops, tablets and printers, as well as IoT devices such as sensors, IP cameras, heart monitors, infusion pumps and more.
- Profile and monitor all networked devices for abnormal behavior. Effective profiling includes creating detailed identities for each endpoint, including what the device is, its expected behavior, location and access authorization. Then, profile changes can be used to alert on abnormal behavior, as well new devices accessing the network and/or changing locations, all of which could indicate a potential breach.
- Enforce access policies, prevent unauthorized devices from joining a network and disable access based on abnormal behavior.
- Use network segmentation to restrict access to and from departments such as, medical, pharmacy, nurses’ stations and back office applications.
- Establish processes to continuously identify and resolve vulnerabilities, such as server and controller software patches.
- Train both technical and non-technical personnel on proper protocols for identifying and responding to potential threats.
- Limit, disable and/or reset vendor and contractor access as well as reduce employee access privileges.
If you’re in the Healthcare space, most likely there are unknown IoMT devices on your network. And you can’t control what you can’t see. Thus, it’s critical that your security strategy includes the ability to automatically discover, profile and monitor every single connected device, so that proper enforcement and remediation protocols can be deployed when your network is inevitably breached.
Interested in learning more? Check out the recent Gartner Market Trends report, Grow Your IoT Security Business by Investing in Real-Time Discovery, Visibility and Control.