How to assess the security of hospital IoT
"We’ve seen infusion pumps infected with malware – while connected to patients," says Joe Lea, vice president of product at Armis Security.
That sentence should give chills to hospital leaders of any stripe – whether security or IT staff, clinicians or patient safety officers.
More and medical devices and machines – from smartpumps to MRIs to implantable sensors - are linked up to the ever-expanding internet of things. And IoT's connection to the web leaves those technologies vulnerable to attack, putting patients at risk and the bottom line of healthcare organizations under threat.
Lea and his colleague, Armis Security CMO Michael Parker, recently spoke with Healthcare IT News about about some of the ways IoT devices are left open to attack, and offered some advice on how health systems can help manage the threats.
Openings are everywhere
An explosion of devices makes a network that more porous, from the inside and out, Lea says, noting that in an average hospital setting there is an average of ten devices per employee.
That could range from a crash cart laptop that a worker uses to check Facebook on a slow night to an ultrasound machine that never gets patched or updated despite running an out of the box Windows or Linux OS. He also points out a patient’s Google Home could become compromised as a surveillance device.
Parker stresses the importance of staying on top of every piece of equipment by keeping a close watch on their network traffic.
"We know what constitutes normal network behavior from massive dataset," said Lea. We know what an infusion pump does, so based normal behavior if we see it connecting to unusual ports we can notify relevant people."
A wide variety of vulnerable targets
Once under the sway of a malicious actor, there are a variety of ill gains for which a compromised IoT device can be exploited. Parker notes a case where researchers were able to intercept X-ray images as "unencrypted communications over the internet and alter it to make it look like cancerous nodes were there."
There are numerous cases of networks being held hostage in ransomware attacks, with WannaCry as the top culprit. Sometimes the hospital itself isn’t the target. Massive botnets have a rapacious appetite for processors and an unguarded CPU in an MRI machine is as good a target as a desktop PC whose owner has neglected to patch and update its OS.
"So much of the traffic from these devices is unencrypted and insecure," says Parker.
IT that 'does no harm'
While there are conventional products to help secure some devices, Parker points out there is no off-the-shelf antivirus monitor for IoT devices.
"Ninety percent of these devices are unprotected and are smart enough to be duped and manipulated," he said. Eradicating unwanted activity poses specific challenges in the healthcare industry, too.
"How do you maintain the Hippocratic Oath as a head of IT? Do no harm," Lea asked.
An active probe into a device’s activities could accidentally shut it down, unacceptable for an infusion pump or other life-critical piece of equipment, for instance, he said. Instead, Lea recommends a passive approach: Monitoring a network’s traffic and the ports a cardiac monitor should be connecting to so that when suspicious activity is spotted a more targeted response can be applied."
The IoT is only beginning to gain its foothold in healthcare. There have been many major breaches both inside and outside the industry to forewarn of greater attacks and disruptions to come.
Still, both Parker and Lea are optimistic about the future for networked devices in healthcare. Parker noted that many healthcare organizations have proactively reached out and asked for help, aware of the vulnerabilities that came with the benefits of IoT.
"That’s the silver lining," he said.
Benjamin Harris is a Maine-based freelance writer and and former new media producer for HIMSS Media.