Securing medical devices and the broader healthcare IoT environment of OT systems, labs, robots, and critical building management systems like elevators, HVAC, electrical distribution, and water management.
Internet of things (IoT) systems are growing at a prolific rate and already far outnumber traditional IT systems like laptops, workstations, and servers. According to Cisco, the number of IoT devices surpassed the human population in 2008, and by 2030 there are expected to be 500 billion devices. CIO magazine claims that by next year, there will be 6 connected devices for every person on the planet.
The trouble is, IoT devices have little to no built-in security and are highly vulnerable to cyber-attack.
IoT devices control nearly every aspect of our modern connected lives. In hospitals they are used for everything from patient diagnosis, treatment, and monitoring, to operational technologies that run labs and issue drugs, to clinical appliances that automate surgeries, and to critical building management systems that control HVAC, elevators, power, and water, etc. If one or more of these critical systems break, patient lives could be placed in danger – just as patients were in New Orleans when the dams burst under Hurricane Katrina and all the electricity went out.
Healthcare IoT (HIoT) poses one of the most significant patient safety risks, and if compromised could kill thousands of patients – either maliciously via extortion attacks or simply by not being available when needed.
HIoT systems can often be used as a foothold and as an attack agent against traditional health IT systems because they share the same network. A number of businesses have already been hacked or held hostage to a DDOS attack executed from their own cheap IP CCTV security cameras, and the wireless networks of several hospitals have been taken out because a compromised IoT device was causing a broadcast storm against wireless access points.
So why don’t hospitals secure all of these devices? Good question! The trouble is that a large hospital system has hundreds of thousands of HIoT devices from thousands of different vendors, and most need to be patched manually (if a security patch even exists) – so you can’t simply force a Windows Update across the entire network and suddenly bring your 350,000 medical devices all into security compliance.
So how can hospitals secure their HIoT systems to prevent them from being hacked?
There are two main areas of focus to securing medical devices and the wider HIoT space. Securing the devices themselves and securing the broader environment.
Obviously, designing good security to HIoT devices in the first place makes the most sense, and FDA has finally made this a requirement for medical device manufacturers – though it will take decades for more secure devices to replace the proliferation of insecure ones currently used across the industry. It also doesn’t address other IoT devices employed in hospitals for operational technology (OT) and critical building management services (BMS) like elevators and HVAC – most of which are also connected to the network.
The first option for securing existing devices is to force vendors to better patch and maintain their equipment via proper third-party supplier contracts and vendor risk management policies that enforce timely patch availability and implementation following announcement of a CVE in an application or its underlying operating system. Most device vendors are slow, however, to create and release patches, and some are outright negligent which has led to some rather unorthodox ways to make vendors change their evil ways. If you don't already know the story of Muddy Waters Capital Management and St. Jude Medical and the resulting FDA recall, then you might want to read my article published during that time in Healthcare IT News:
or the background to the case in its Australian publication Healthcare IT News Australia:
Like the Yahoo breach which occurred just as Yahoo was about to be purchased by Verizon, St. Jude Medical was in the process of being taken over by Abbott Labs when this all broke, reducing the value of Abbott's $25 billion purchase price.
The trouble with forcing vendors to patch their systems is that many will simply say that devices are end-of-life after a random period of time, and they tell hospitals and clinics to purchase their latest model that is currently supported. This is tough for hospitals which typically run their equipment until it no longer works, and write off large capital purchases over a 10 to 20 year depreciation schedule. Most medical devices are very simple electro-mechanical systems designed to work almost forever – and many do thanks to their simple highly available design. For most, however, that simple resilient design lacks basic security protections.
The other issue with securing medical devices is that many vendors are now using cheap off the shelf (COTS) operating systems like Windows Embedded, rather than building their devices using custom Linux or BSD kernels which are more timely and expensive to write (but much more secure). Even more concerning is that developers of the software stack placed on these new devices are lazy and are not removing unneeded capabilities that come bundled with the embedded COTs software. What we need is the adoption of a ‘Zero-Trust’ model across all IoT devices to minimize their attack surface and danger to the rest of the network.
Medical devices take roughly 5 to 6 years of testing before they receive FDA / TGA approval to go to market. That means that the technology of that brand-new device is already out of date on the first day of its public availability, and if its running Windows CE or Embedded then it likely already has thousands of known vulnerabilities and readily available exploits for hackers to use against it.
With tens of thousands of HIoT vendors, it’s an impossible task for providers to patch, update, and secure these simple devices. In other words, as a CISO you are never going to get in front of it – even if you have the resources of the Mayo Clinic!
The second option is to secure the environment via compensating security controls like network segmentation, white-listing, or Zero-Trust. This is how most providers are approaching the remediation of these risks today. However, this approach is complex, expensive, and requires a high level of networking maturity as well as modern switches that support the desired technology. Cisco, CheckPoint, Fortinet, ForeScout, and Palo Alto Networks all have capabilities in the space, but Cisco is probably the furthest along with its micro-segmentation technologies currently.
The hardest part is defining the white listed rules of what ports, protocols, and destination IPs each device requires for normal legitimate communication, and then blocking everything else. This prevents open ports like TCP 69 (TFTP), 23 (Telnet), etc. from being used to attack the device and as well as blocking communications with Internet IP addresses outside of the medical facility.
Cylera https://www.cylera.com/ has come up with a way to auto-generate device profiles for every endpoint type using AI and ML, thus removing a significant barrier to entry for many hospitals wanting to run Cisco ISE / TrustSec or other segmentation technologies. Cylera’s MedCommand also performs a full NIST 800-30 risk analysis of devices so that critical and high risks can be remediated as soon as possible, while under the immediate protection of network segmentation. It does so by creating a virtual digital twin so that active scanning and penetration testing can take place of the VM without endangering patients, actual medical devices, or other critical HIoT systems.
For medical devices that create, process, or transmit ePHI, it is a requirement of the HIPAA Security Rule to perform periodic risk analysis of these devices - one often missed by HIPAA Covered Entities during their annual risk analysis.
The big issue for covered entities is that you cannot risk analyze assets that you don’t know about, and most manual spreadsheets of medical devices are nearly always hopelessly wrong or out of date, as are enterprise asset management systems designed for IT endpoints. Cylera MedCommand not only provides you with a fully comprehensive asset inventory of all devices on your network, but will also perform an OCR-level risk analysis for you without you having to lift a finger. What’s more, MedCommand continues to identify new assets as they join the network, and automatically performs system anomaly detection with threat contextualization – so that when one goes wild and shows potential indicators of known (or unknown) compromise, you can quickly isolate and remediate issues with the device with ease.
With a seemingly ever-growing need for interoperability across the healthcare industry – and an almost exponential growth of HIoT – isolation of devices behind firewalls is not a scalable or maintainable option. Thus, the problem of securing HIoT endpoints is not going away anytime soon and poses one of the most significant patient safety risks across the industry.
To learn more about Cylera MedCommand and how it can be used to risk analyze, manage, and remediate your entire healthcare network, please contact us for a no-obligation web-based overview and demonstration.