While the average cost of a data breach surpassed $9 million in 2021, the calculation for a widespread cyber-physical attack in the healthcare industry remains undetermined and unforeseen. Amidst international cyber conflict and a spectrum of threat actors, the U.S. government is beginning to shine new light on a growing problem.
Despite the rise of ransomware, many stakeholders across the industry remain in the dark when it comes to understanding the cyber-physical risks associated with operational medical technology, the internet of medical things (IoMT), and digital components of operations and facilities management.
From business records to patient data and diagnostics, scheduling, treatment, prescriptions, payments, facilities and more, medical care has digitized,. One theme crosscuts the cyber threat landscape of medical technologies, devices, hospitals, and public health facilities: confusion.
Often introduced without security policy alignment, the push to roll many connected endpoints into a “single pane of glass” results in a trade-off of easy to deploy but difficult to secure technologies. Much like a house of mirrors, responsibility for understanding and mitigating cyber risk in healthcare is difficult to distinguish and often depends on who you ask, especially when it comes to non-enterprise systems and devices.
IoMT represents a two-way mirror offering a window to target med-tech and healthcare networks and activities. Hardcoded passwords and credentials are targeted, user interfaces from manufacturers hijacked, change management processes are circumvented, and widespread vulnerabilities continue to impact thousands of devices around the world.
Operational medical technology, IoMT technologies, and facility systems encompass a wide range of machines and configurations, to include diagnostics and patient monitoring machines, like anesthesia machines and bedside monitors, medical imaging equipment, insulin pumps, fluid pumps, ventilators and a growing list of sensors, cameras, wearable devices, and analytics that enable or report the status of equipment, processes, and operations.
Cybersecurity concerns for healthcare are multifaceted, including vulnerable technologies designed without security in mind, internet-connected devices used directly in patient care, and smart buildings and automated facilities technology.
As the FDA notes, “Failure to maintain cybersecurity throughout the medical device’s product life cycle can result in compromised functionality, loss of medical or personal data, inadequate data integrity, or the spreading of security threats to other connected devices or networks … to result in patient harm such as illness, injury, or death as a result of delayed treatment or other impacts to medical device availability and functionality.”
Legacy medical technology
Legacy technologies in healthcare are ubiquitous, expensive to replace, and susceptible to exploitation from well-known cyber-attack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many run on outdated software such as Windows XP and Windows 7 and have limited mechanisms for applying critical patches and updates across widely distributed and unmanaged deployments. Resources and manpower limit the ability to track, secure, and continuously fortify each and every component of legacy medical technology in use today.
At a high level, manufacturers are responsible for product security, lifecycle maintenance, vulnerability disclosure, and creating and disseminating available patches and upgrades to continually secure devices and technologies they produce.
End-users, simultaneously, are responsible for tracking and addressing discovered vulnerabilities, enabling security features, securing data in transit and at rest, and deploying solutions to monitor technologies and networks operating in their organization. At the same time, the majority of teams and locations are not prepared to return to manual operations for any extended period of time.
Internet of medical devices (IoMT)
According to the Food and Drug Administration, the U.S. regulates nearly 200,000 medical devices manufactured by over 18,000 companies globally. Smart, connected medical devices encompass both user interfaces (for patients and health care providers) as well as machine to machine communications through network connectivity.
These devices, often capable of internet connection, have risks associated with unauthorized access, hijacking login interfaces to bypass password authentication, distributed denial of service (DDoS) attacks, and limited protections for sensitive patient information.
The primary attack surface for IoMT devices are the default credentials over SSH. When a system is targeted, the attacker, typically another infected IoT device, will attempt an average of forty passwords for a handful of usernames. Other common attack surfaces of these devices include UPnP, HTTPS, and its underlying packages of java and various source code modifications.
These systems and variations tend to remain unpatched long after a patch has been released due to the fact most IoT devices are headless (no user interface) and are not set up for automated updates without the user agreeing to a risk-based statement within the end-user license agreements.
Smart, connected facilities
Medical and health operations and facilities continue to digitize components of non-IT control systems – fire alarm and suspension, electrical and lighting systems, metering systems, vehicle charging stations, key access controls. When controls are centralized, companies often deploy building automation solutions (BAS) to connect and automate control of these diverse functions. Security flaws in BAS can be targeted to gain access to credentials, networks and VPNs, and sensitive data.
In a recent smart building engagement, we found 361 unsecured protocols in use, 259 open device vulnerabilities, and 37 cleartext (unencrypted) passwords in use.
When taking over the control of one or many devices, threat actors can coordinate more widespread attacks depending on the level of widespread connectivity.
Cybersecurity for operations and facilities is arguably most important in the hospital setting where critical populations gather, and the safe movement of resources, equipment, and personnel is essential. Remote and privatized operations may struggle to find and retain cybersecurity resources.
Major companies and providers struggle to manage massive campuses, some the equivalent of small cities, serving millions of patients each year and employing tens of thousands of people. Circumventing building, utility, and security control systems can have major impacts on patient care and both patient and provider safety. Given its prioritization by the U.S. National Cyber Director, early adopters of holistic security practices must chart the course.
A way forward
If legacy med-tech, IoMT devices, and facilities technology are not the intended target of a cyber incident, cascading impacts could render them useless, resulting in delayed treatment and potential harm to both patients and providers. When enterprise IT systems fail, they are often isolated from the rest of the network. When operational systems fail, the impacts can be property and casualty.
This modus operandi often results in a dichotomy between risk management frameworks and incident reporting. In the middle, security incidents continue to happen. This scenario begs the question: do IT and facilities teams know what else is connected to communications networks, and the potential for exploitation of these legacy systems, IoMT devices, networks, and control systems?
Given the outsized reliance on technologies and the burden of manual operations, hospitals and healthcare providers are reducing cybersecurity risks, ensuring compliance with quickly changing regulatory requirements, and working to gain visibility into connectivity, traffic and anomalies associated with their network behavior.
With the scale of potential risks, transparency is key. A cybersecurity solution purpose-built for operational technology and IoMT can:
- Capture and visualize a landscape of tens or hundreds of thousands of connected systems and endpoints
- Monitor and audit network traffic in real-time, to encompass non-IT systems
- Baseline and continuously understand an organization’s cybersecurity status
- Provide actionable intelligence to address the most critical of issues
- Limit third-party access and alert on changes to network behaviors or variables
- Strengthen an organization’s security policy without gaps or shadow-connectivity
Photo: Traitov, Getty Images