Securing the expanding universe of billions of Internet of Things devices is anything but straightforward. But in the healthcare sector, it presents unique threats to human safety and operational efficiency.
To date, there's been a dearth of data from hospitals and clinics about the effects of cybersecurity threats and attacks. Over the course of this year, hackers will escalate activity targeted at medical facility weaknesses, with the implication that patient deaths could result, according to Zingbox, a firm based in Mountain View, Calif., that develops IoT device security for the healthcare sector.
However, new information collected from 50 US facilities and tens of thousands of medical devices over 12 months offers those in healthcare a snapshot of where the vulnerabilities are, and how they could be minimized. This study is part of what Zingbox calls the first cybersecurity report for the sector.
The study has some surprising results.
"This [data] gives us a wide-scale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what's triggering the issues," Xu Zou, CEO and co-founder of Zingbox, told Security Now. "Many organizations don't have a clear picture of their networks, or even what devices are connected [across them]."
It turns out that user behavior is the biggest problem. About 40% of security issues noted in the report were created by medical staff using embedded browsers on workstations to access the Internet, conduct online chat or download content. A further 33% of risks on connected medical devices were accounted for by outdated operating systems or software, obsolete applications or unpatched firmware.
Facilities have clearly fallen down here, when policy enforcement and network restriction could cut the number of rogue applications and risky browser usage that inadvertently place patient lives at risk. Any threat that impairs operational wellbeing -- such as a ransomware or distributed denial of service (DDoS) attack -- also reduces the ability to care for patients effectively.
Devices that threaten safety
Any medical device connected to the network poses a threat. These include infusions pumps, imaging systems, patient monitors, ECG machines, nurse call and patient tracking systems. Interestingly, although infusion pumps are the most widely deployed medical device -- and are directly connected to patients -- they are the least susceptible to security threats.
"[We] point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don't represent the largest attack surface," said Zou. "Security issues relating to pumps were only at 2%, however, attention to protecting these devices should still be a priority since a successful attack on a single pump could result in disabling the bulk of all infusion pumps through lateral movement and infection."
Imaging systems ranked number one in the report as the source of 51% of all security issues. That's partly a product of the sheer variety of imaging systems in place. These range from X-ray, ultrasound and MRI machines, to digital imaging and communications workstations, and picture archiving and communications servers.
It's also a product of the number network applications that run on imaging systems. These devices average about seven network applications per device, more than any other, and three of the applications are specifically for communicating outside of the organization. Other devices are primarily designed for intra-organizational communication, and so they present a reduced threat.
Also, imaging systems are often built on commercial-off-the-shelf (COTS) OS, are expected to have a long lifespan, are expensive to replace and according to the report, often outlive support agreements with vendors.
Almost nine out of ten hospitals surveyed have less than 20 VLANs to successfully segment and isolate medical devices against lateral movement from an attack. Zingbox views this as too few for almost any size of facility to be of practical cybersecurity benefit. For organizations without the visibility into their connected devices, all they have is a collection of IP addresses without any context.
Organizations looking to VLAN segmentation for protection also need to bear in mind that only about 25% of the devices on healthcare networks are medical. Almost 45% of devices are PCs, with multiple other devices comprising printers, scanners, IP phones, smartphones and surveillance cameras. This is itself is a big weakness since a PC can be attacked and then laterally moved to medical devices.
"Understanding how [attacks] enter our networks is critical to protecting patient data and safety," said Zou. "As we continue to gather more knowledge, we can better arm our staff and networks to prevent these dangerous events."
— Simon Marshall, Technology Journalist, special to Security Now