First, it goes without saying that hospitals and frontline workers should be applauded for doing their utmost to ensure staff and patient safety under extraordinary circumstances. Hospitals are under unprecedented stress — and, sadly, it appears that the pandemic will get worse before it gets better. The vaccines are a light at the end of the tunnel, but until they have been widely distributed, hospitals will remain over-extended, making them even more vulnerable to cyberattacks. Malicious actors see this health crisis as an opportunity — calculating that when thousands of people are dying every day during the pandemic, hospitals will have no choice but to give in to their demands. Many hospitals are ill-equipped to cope with these reprehensible, immoral actors.
One thing that makes hospitals more vulnerable today than in the past is the extraordinary increase in connected medical devices (often known as IoMT or the “Internet of Medical Things”). Network-connected medical devices make healthcare more efficient and enable better patient care. They range from simple blood pressure devices and infusion pumps to more complex machines such as MRIs, CT scanners, and ultrasounds. The obvious problem is that these network connections also make these devices vulnerable to attack.
In a worst-case scenario, researchers at St. Jude Medical found that implantable cardiac devices had vulnerabilities that could allow hackers to remotely access devices such as pacemakers and defibrillators, putting patients directly at risk. More often, attacks on devices are motivated by money: they focus on stealing patient data or disrupting operations in order to extort hospitals. This, too, puts patients at risk. One ransomware attack postponed an emergency operation at a German hospital. Investigators ultimately determined that the patient likely would not have survived due to the severity of her health, but also acknowledged that it is only a matter of time before tragedy strikes due to a cyberattack.
Why are medical devices an especially interesting target for malicious actors? First, they are critical to patient care — so disrupting their operation is intolerable to hospitals. In addition, many have old or proprietary operating systems that cannot be easily updated or patched without replacing the entire machine. Unlike PCs, these complex and expensive pieces of equipment are expected to run for 10 years or more on the hospital floor. All of this is exacerbated by the fragmented medical device ecosystem, with thousands of vendors with varied approaches to security. Add to this administrative challenges, fragmented procurement processes, stretched budgets, a lack of automation, and under-investment in cybersecurity, and… yes, the pandemic. Many hospitals today cannot accurately identify what is connected to their networks, let alone protect those devices.
In fact, Ordr recently conducted research on more than 5 million unmanaged, IoMT, and IoT devices deployed in customer environments and found some staggering results:
- 15-19% of medical devices were running on operating systems Windows 7 or older (XP, CE, ME, NT, 98, 97, or 95). This suggests that as many as 1 in 5 hospital devices are a decade or more behind the security curve.
- Facebook and YouTube applications were found running on MRI and CT machines. This may seem innocuous, but when healthcare staff use these devices to surf the internet or use unintended applications, the devices obviously become more vulnerable to attack.
- Ordr found vulnerable printers, servers, and vending machines, and parking lot gates on the same VLANs as critical medical devices. Threat actors can target any of these in order to gain complete access to neighboring medical devices and other critical assets on the hospital network.
The attack surface is huge. The average hospital uses thousands of network-connected devices — about 17 per hospital bed. Building systems, smart TVs, and security infrastructure like surveillance cameras are often even more exposed than medical devices – not to mention seemingly benign devices such as gaming machines and smart speakers like Amazon Echos and Google Homes that are connected by patients and staff. If permitted at all, these devices should be segregated on the guest network, far from critical medical equipment. Unfortunately, it’s all too easy for these consumer-grade devices to be connected to the ‘secure’ network — or for medical devices to inadvertently be connected to the guest network. When that happens, any device can be the ‘weak link’ that a malicious actor discovers and uses to penetrate the network and potentially to shut down entire facilities. So whenever patients or staff connect their own unsecured IoT devices to the same VLANs as hospital devices, the risk widens. In short: the points of entry into a healthcare facility’s network are growing exponentially. And it only takes one weak point of entry for catastrophe to strike.
Across all industries, unmanaged IoT devices are a significant part of the network ecosystem. But hospitals are in a particularly tough spot. Under the best of circumstances, securing connected medical devices requires the coordination and cooperation of multiple organizations – including Biomed/Healthcare Technology Management, Security, Networking, IT Operations, and more. Many of these organizations are significantly understaffed relative to their corporate peers. Add COVID-19 to this mix and you have the makings of a crisis, which is exactly when the malicious actors pounce. We’ve already seen attacks on healthcare organizations — not to mention supply chains for vaccines, personal protective equipment, and other critical systems.
Healthcare providers today need holistic solutions that bridge these often siloed organizations and automate tasks for over-worked departments.
While this all sounds alarming, fortunately, there are proven steps hospitals and other critical care entities can do to thwart attacks, protect their infrastructure, and keep their focus on patient care.
1. Know what connected devices are on your network: Continuous visibility into every unmanaged and IoT device that connects to a network is of paramount importance. You cannot protect what you can’t see — and an unknown device is likely your weakest point of entry.
2. Monitor and analyze behavior: With the proper tools, it is quite easy to map communications of all of your medical devices, as well as any other network-connected devices. Is that MRI using Facebook? Should it? Is a device “calling back” to a manufacturer based in another country or is it connecting to a server controlled by an adversary overseas?
3. Triage risk and generate policies to segregate at-risk devices: It’s impossible to take every device offline, especially those medical devices used for critical care. But if you have a clear understanding of the risk profile for a device, you can carefully monitor for any strange behaviors such as a rogue or infected device communicating to a bad domain. Hospital teams can work in concert across clinical engineering, facilities, and IT to generate appropriate segmentation policies for vulnerable and mission-critical devices, strictly controlling their behaviors.
2020 was an unprecedented year for hospitals, frontline workers, and vaccine developers. 2021 will present tremendous challenges. Ransomware and attacks on vulnerable devices will continue — but there is much that hospitals can do to protect these devices and decrease the likelihood that any incident disrupts their operations and interferes with patient care. Understanding device vulnerability, monitoring abnormal communications, and isolating and segmenting expensive or mission-critical devices on the network is a critical step forward in protecting hospitals from attacks.