While the average cost of a data breach exceeded $9 million in 2021, the calculation for a widespread cyber-physical attack in the healthcare industry remains elusive and unforeseen. Amid international cyber conflicts and a spectrum of threat actors, the US government is beginning to shed new light on a growing problem.
Despite the emergence of ransomware, many industry stakeholders are groping in the dark when it comes to understanding the cyber-physical risks associated with operational medical technology, the Internet of Medical Things (IoMT), and digital components of operations and facility management.
From business records to patient records and diagnoses, scheduling, treatment, prescriptions, payments, facilities and more, healthcare has gone digital. One theme runs through the cyber threat landscape of medical technology, devices, hospitals and public health facilities: confusion.
Often introduced without aligning security policies, the pressure to bundle many connected endpoints into a “single pane of glass” results in a compromise between easy-to-deploy but difficult-to-secure technologies. Much like a house of mirrors, responsibility for understanding and mitigating healthcare cyber risk is difficult to distinguish and often depends on who you ask, especially when it comes to non-proprietary systems and devices.
IoMT represents a two-way mirror that provides a window to target med-tech and healthcare networks and activities. Hard-coded passwords and credentials are being targeted, manufacturer user interfaces are being hijacked, change management processes are being bypassed, and widespread vulnerabilities continue to impact thousands of devices around the world.
Medical operative equipment, IoMT technologies and facility systems span a wide range of machines and configurations, including diagnostic and patient monitoring devices, such as anesthesia machines and bedside monitors, medical imaging devices, insulin pumps, fluid pumps, ventilators and a growing list of sensors, cameras, wearable devices and analytics, enabling or reporting the status of devices, processes and operations.
Concerns about cybersecurity in healthcare are multifaceted, including vulnerable technologies designed without security in mind, internet-connected devices used directly in patient care, and smart buildings and automated facility technology.
As the FDA states, “Failure to maintain cybersecurity throughout the medical device’s product lifecycle can result in compromised functionality, loss of medical or personal data, inadequate data integrity, or the spread of security threats to other connected devices or networks… patient harm.” such as illness, injury or death resulting from delayed treatment or other impacts on the availability and functionality of medical devices.”
Obsolete medical technology
Legacy healthcare technologies are ubiquitous, expensive to replace and vulnerable to exploitation from known cyber attack tactics and a growing list of publicly disclosed Common Vulnerabilities and Vulnerabilities (CVEs). Many run on legacy software such as Windows XP and Windows 7 and have limited mechanisms for applying critical patches and updates to widely distributed and unmanaged deployments. Resources and manpower limit the ability to track, secure, and continuously strengthen every single component of medical technology in use today.
At a high level, manufacturers are responsible for product security, lifecycle maintenance, disclosure of vulnerabilities, and the creation and distribution of available patches and upgrades to continuously secure the devices and technologies they manufacture.
At the same time, end users are responsible for tracking and remediating discovered vulnerabilities, enabling security features, securing data in transit and at rest, and providing solutions to monitor technologies and networks operating within their organization. At the same time, the majority of teams and sites are unwilling to return to manual operations for any length of time.
Internet of Medical Devices (IoMT)
According to the Food and Drug Administration, the US regulates nearly 200,000 medical devices manufactured by over 18,000 companies worldwide. Smart, connected medical devices include both user interfaces (for patients and healthcare providers) and machine-to-machine communication through network connectivity.
These devices, often internet-enabled, pose risks related to unauthorized access, hijacking of login interfaces to bypass password authentication, distributed denial-of-service (DDoS) attacks, and limited protection of sensitive patient data.
The primary attack surface for IoMT devices is the default credentials over SSH. When a system is compromised, the attacker, typically another infected IoT device, attempts an average of forty passwords for a handful of usernames. Other common attack surfaces of these devices are UPnP, HTTPS and the underlying Java packages and various source code modifications.
These systems and variants typically remain unpatched long after a patch is released, as most IoT devices are headless (no user interface) and not set up for automatic updates without the user agreeing to a risk-based statement at the end-user license agreements.
Smart, connected facilities
Medical and healthcare operations and facilities continue to digitize components of non-IT control systems – fire alarm and suspension, electrical and lighting systems, metering systems, vehicle charging stations, key access controls. When controls are centralized, companies often deploy building automation solutions (BAS) to connect and automate control of these different functions. Vulnerabilities in BAS can be targeted to gain access to credentials, networks and VPNs, and sensitive data.
In a recent smart building mission, we found 361 unsecured protocols in use, 259 open device vulnerabilities, and 37 plaintext (unencrypted) passwords in use.
By taking control of one or more devices, threat actors can coordinate broader attacks depending on the level of widespread connectivity.
Cyber security for operations and facilities is arguably most important in the hospital environment, where critical populations congregate and the safe movement of resources, equipment and personnel is vital. Remote and privatized operations can struggle to find and retain cybersecurity resources.
Large companies and providers struggle to manage huge campuses, some of which are equivalent to small cities that serve millions of patients and employ tens of thousands of people each year. Bypassing building, utility, and security control systems can have a significant impact on patient care and the safety of patients and providers. Given the prioritization by the US National Cyber Director, early adopters of holistic security practices need to set the course.
A way forward
If legacy medical technology, IoMT devices, and facility technology are not the intended target of a cyber incident, cascading impacts could render them unusable, resulting in delayed treatment and potential harm to patients and providers. When corporate IT systems fail, they are often isolated from the rest of the network. When operational systems fail, the impact can be property damage and accidental damage.
This modus operandi often leads to a dichotomy between risk management frameworks and incident reporting. Security incidents continue to happen in the middle. This scenario begs the question: do IT and facilities teams know what else is connected to communication networks and the potential for leveraging these legacy systems, IoMT devices, networks and control systems?
Faced with over-reliance on technology and the burden of manual operations, hospitals and healthcare providers are reducing cybersecurity risks, ensuring compliance with rapidly changing regulatory requirements, and working to gain visibility into connectivity, traffic, and anomalies related to their network behavior.
Given the scale of potential risks, transparency is key. A cybersecurity solution built specifically for operational technology and IoMT can:
- Capture and visualize a landscape with tens or hundreds of thousands of connected systems and endpoints
- Monitor and inspect network traffic in real-time to include non-IT systems
- Baseline and ongoing understanding of an organization’s cybersecurity posture
- Provide actionable intelligence to address the most critical issues
- Restrict third-party access and alert on changes in network behavior or variables
- Strengthen an organization’s security policies without gaps or shadow connectivity
Photo: Traitov, Getty Images