By: 

Healthcare can’t wait for device makers to prioritize security

The broad movement of ‘connected devices’ represents a growing cybersecurity threat that puts patient data, medical information, and potentially patient well-being at risk.
10:25 AM
Heartbeat monitor

Internet-connected medical devices – such as infusion pumps, heartrate monitors, and even imaging and biopsy tables – have become a critical part of the healthcare environment. These devices improve patient care and have become vital to the operations of hospitals and healthcare providers.

However, the broad movement of ‘connected devices’ represents a growing cybersecurity threat that puts patient data, medical information, and potentially patient well-being at risk.

The concern is so great that the FDA recently warned that a number of connected insulin pumps may be at risk of cybersecurity breaches, and actually suggested that patients switch devices. 

Whether it is the threat of malicious actors seizing control of devices or the implications of a cyber breach giving cyber criminals access to troves of personal data, both the deployment of new innovative products and the preponderance of older connected devices are both systematic hot points when it comes to healthcare security.

Securing connected devices has emerged as one of the top priorities for healthcare IT security professionals.

For new devices being deployed, the two major concerns revolve around accessibility to each device and the safety of software updates. For older devices, fear stems from unsupported systems no longer receiving updates and becoming an entryway for hackers. This is an immense challenge that keeps healthcare CISOs up at night.

It is not a lost cause; there are ways to limit and mitigate the risks inherent in the IoT, cloud, and networked devices that keep patients alive, allow vital information to be shared among staff and even manage maintenance and building operations. For instance, restricting access to common ports such as SSH, RDP and SMB, shutting down unnecessary services should be done on all devices.

Concerns grow as connected devices proliferate in healthcare

A recent Wall Street Journal story revealed that in February, Moody’s Investors Service listed hospitals at the top of the list of industries most vulnerable to cyber attacks. The WSJ also pointed out that the Department of Homeland Security has its own concerns, issuing nearly twice as many advisories about the cyber threats posed by medical devices in 2018 than in 2017.

Purchasing and deploying new connected devices is becoming the top challenge that healthcare executives wrangle with on a consistent basis.

According to WSJ, there is a growing tension between device companies and healthcare organizations when it comes to transparency in regard to not only the security features baked into devices but also the third-party software companies that the device-makers have contracted.

More and more, conversations that have focused on encryption and other connected device security specifications are evolving into demands for clarity on who can gain access to the devices once in use.

The potential threat posed by insider error or purposeful misuse of privileged access has also been a known concern for the healthcare industry for a few years now. What is new — and worrisome for IT Security Operations — are the invisible dangers inherent in devices using and consistently being updated via third-party applications connected to broader public networks.

Outdated systems and devices pose a danger to healthcare organizations

The economics of the healthcare industry also play a role in the growing threats of connected devices. While security risk assessments that measure the ROI of rolling out new technologies in hospitals and other medical facilities can now be made, the tight financial maneuvering that occurs in the healthcare sector may pose another threat beyond decisions regarding which products to use.

Too often, outdated devices stay in service longer than they should because of tight budgets. Obviously, there is a danger in using legacy devices for too long when it comes to patient care. But new risks are coming to the forefront of security teams’ concerns, as many legacy devices and systems are increasing the attack surfaces for cybercriminals.

For example, devices that will have software applications that are unsupported pose a massive potential threat. According to a recent report from Forescout, 71 percent of the connected devices currently using Windows software will be opened up to the risk of cyber attacks as the applications expire in 2020. That is less than six months from now!

Furthermore, devices that use Microsoft Server Message Block (SMB) protocols — 85 percent of medical devices that run Windows OS — are vulnerable to attacks such as EternalBlue (CVE-2017-0143). This allows malicious actors to propagate throughout the network and has been used in ransomware outbreaks.

In addition, they will attempt to connect to addresses that do not exist on the network. During this connection, a scan for internal Server Message Block accounts accounts to identify which file shares they can connect to or worse.

With IoT devices running versions of Linux, the Mirai Botnet was able to scan for default username and password combinations. Mirai will take over these IoT devices and use them to launch DDOS or mine for crypto currency. 

Solutions to security threats of connected healthcare devices

The potential security threats of legacy systems provide a real logistical challenge for healthcare IT professionals, especially because devices outnumber healthcare industry staff three to one.

However, it has been suggested that machine learning and AI can play a massive role in mitigating the risks posed by both the deployment of new IoT devices as well as legacy technologies and systems. In particular, the best way to assess potential threats is through privileged access controls.

By managing privilege — the accounts, credentials and secrets that can give users wide-ranging powers on a network or device — healthcare IT security can control access and privileges malicious actors need in order to access devices.

Attackers will attempt to steal and escalate privileged access and move around the network while potentially causing mayhem with devices. Blocking this path, by managing privileged access on devices, networks and third-party applications, makes it increasingly more difficult for cybercriminals to mount a successful attack.

About the Author: Bryan Murphy, Director, Consulting Services – Americas, at CyberArk.