While the average cost of a data breach exceed $9 million in 2021, the calculation of a widespread cyber-physical attack in the healthcare industry remains undefined and unanticipated. Against a backdrop of international cyber conflict and a spectrum of threats, the US government is beginning to new light shines on a growing problem.
Despite the rise of ransomware, many industry stakeholders remain in the dark when it comes to understanding the cyber-physical risks associated with operational medical technology, the Internet of Medical Things (IoMT), and the digital components of facility operations and management.
From business records to patient data and diagnostics, planning, treatment, prescriptions, payments, facilities and more, medical care is digitized. One theme cuts across the cyber threat landscape of medical technology, devices, hospitals and public health facilities: confusion.
Often introduced without security policy alignment, the drive to unify many connected endpoints into a “single pane of glass” results in a trade-off between easy-to-deploy but difficult-to-defend technologies. Like a house of mirrors, the responsibility for understanding and mitigating cyber risk in healthcare is hard to pin down and often depends on who you ask, especially when it comes to non-corporate systems and devices.
The IoMT is a two-way mirror offering a window to target networks and activities in the field of medical technology and healthcare. Hard-coded passwords and credentials are targeted, manufacturers’ user interfaces are hijacked, change management processes are bypassed, and widespread vulnerabilities continue to affect thousands of devices worldwide.
Operational medical technology, IoMT technologies and facility systems cover a wide range of machines and configurations, including diagnostic and patient monitoring machines such as anesthesia machines and night monitors, medical imaging equipment, insulin pumps, fluid pumps, ventilators and a growing list from sensors, cameras, wearables and analytics that enable or report the status of equipment, processes and operations.
Healthcare cybersecurity concerns are multifaceted, including vulnerable technologies designed without security in mind, Internet-connected devices used directly in patient care, and technologies for smart buildings and automated facilities.
Like FDA notes“Failure to maintain cybersecurity throughout the product lifecycle of a medical device can result in compromised functionality, loss of medical or personal data, inadequate data integrity, or propagation of security threats to other connected devices or networks … resulting in harm to the patient, such as illness, injury or death as a result of delayed treatment or other effects on the availability and functionality of the medical device.’
Legacy medical technology
Legacy healthcare technology is ubiquitous, expensive to replace, and vulnerable to exploitation by well-known cyberattack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many run on legacy software such as Windows XP and Windows 7 and have limited mechanisms for applying critical fixes and updates to widespread and unmanaged deployments. Resources and manpower limit the ability to track, secure, and continuously strengthen every single component of the legacy medical technology in use today.
At a high level, manufacturers are responsible for product security, lifecycle support, vulnerability disclosure, and the creation and distribution of available patches and upgrades to continuously secure the devices and technologies they manufacture.
At the same time, end users are responsible for tracking and addressing discovered vulnerabilities, enabling security features, securing data in transit and at rest, and implementing solutions to monitor technologies and networks operating in their organization. At the same time, the majority of teams and locations are not ready to return to manual operations for an extended period of time.
Internet of Medical Devices (IoMT)
According to the US Food and Drug Administration, it regulates almost 200,000 medical devices produced by over 18,000 companies worldwide. Smart, connected medical devices encompass both user interfaces (for patients and healthcare providers) and machine-to-machine communications via network connectivity.
These devices, often Internet-capable, pose risks related to unauthorized access, hijacking of login interfaces to bypass password authentication, distributed denial-of-service (DDoS) attacks, and limited protections for sensitive patient information.
The main attack surface for IoMT devices is the default credentials over SSH. When a system is targeted, the attacker, usually another infected IoT device, will try an average of forty passwords for a handful of usernames. Other common attack surfaces on these devices include UPnP, HTTPS and their underlying java packages and various source code modifications.
These systems and variants tend to remain unpatched long after a patch is released due to the fact that most IoT devices are headless (no user interface) and are not set up for automated updates without the user agreeing to a risk-based statement at the end -user license agreements.
Smart, connected gear
Medical and healthcare operations and facilities continue to digitize non-IT control system components – fire alarm and suspension, electrical and lighting systems, metering systems, vehicle charging stations, key access controls. When controls are centralized, companies often deploy building automation solutions (BAS) to connect and automate the management of these diverse functions. BAS security vulnerabilities can be targeted to gain access to credentials, networks and VPNs, and sensitive data.
In a recent smart building engagement, we found 361 unprotected protocols in use, 259 device vulnerabilities discovered, and 37 cleartext (unencrypted) passwords in use.
When taking control of one or many devices, threat actors can coordinate more widespread attacks depending on the level of widespread connectivity.
Cybersecurity for operations and facilities is perhaps most important in the hospital setting where critical populations are congregated and the safe movement of resources, equipment and personnel is essential. Remote and privatized operations may struggle to find and retain cybersecurity resources.
Large companies and providers struggle to manage massive campuses, some the equivalent of small cities, serving millions of patients each year and employing tens of thousands of people. Bypassing building control, utility, and security systems can have major impacts on patient care and the safety of both patients and providers. Given his prioritization by the US National Cyber Directorearly adopters of holistic security practices should chart the course.
If legacy medical technologies, IoMT devices, and facility technologies are not the intended target of a cyber incident, the cascading impacts can render them useless, leading to delayed treatment and potential harm to both patients and providers. When enterprise IT systems fail, they are often isolated from the rest of the network. When operating systems fail, the impacts can be property and casualty.
This course of action often leads to a dichotomy between risk management frameworks and incident reporting. In between, security incidents keep happening. This scenario begs the question: do IT teams and facilities know what else is involved in communications networks and the potential to use these legacy systems, IoMT devices, networks and control systems?
Given the over-reliance on technology and the burden of manual operations, hospitals and healthcare providers are reducing cybersecurity risks, ensuring compliance with rapidly changing regulatory requirements and working to gain visibility into connectivity, traffic and behavioral anomalies their network.
With the scale of the potential risks, transparency is key. A cybersecurity solution tailored for operational technology and IoMT can:
- Capture and visualize a landscape of tens or hundreds of thousands of connected systems and endpoints
- Monitor and inspect network traffic in real-time to cover non-IT systems
- A baseline and ongoing understanding of the organization’s cybersecurity posture
- Provide actionable information to address the most critical issues
- Restrict third-party access and alert about changes in network behavior or variables
- Strengthen your organization’s security policy without gaps or shadow connectivity
Photo: Traitov, Getty Images