How to reduce the attack surface associated with medical devices
As the number of connected medical devices continues to rise, so does healthcare organizations’ attack surface.
“Most medical devices available in the healthcare system today were not built with security in mind and it will take years until they are replaced (if they are at all) with next-generation devices,” says Leon Lerman, CEO and co-founder of Cynerio, a provider of medical device and Internet of Medical Things (IoMT) security solutions.
“And, as we witnessed when WannaCry shut down more than 60 hospitals in the UK, there’s no need for particularly sophisticated attacks when built-in vulnerabilities make these devices susceptible to ‘everyday’ ones.”
The danger
With the growing dependence on smart medical devices, attacks targeting them will become more mainstream, Lerman expects.
We just need to look at the situation today to know that particular prediction has a high chance of becoming true: hackers are increasingly targeting hospitals because of the high price they can command for sensitive patient data and because ransomware attacks are particularly disruptive for this type of organization. The compromise of sensitive patient data is just a tip of the iceberg – attackers can threaten patients’ health and lives by disrupting service at targeted hospitals and clinics.
“Attackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to wrong diagnoses. They can also hold electronic medical records ransom, causing delays in procedures required to treat patients,” he notes.
While connected medical devices can and do improve the quality of in-patient care, they also introduce new vulnerabilities. And since the vulnerability of the device is dependent on the inner workings of the device and the clinical workflows, patients cannot know if they are in any danger.
Proactive risk mitigation
Depending on their size, hospitals can have thousands and tens of thousands of medical devices connected to their network. Each one of these devices is a potential target CISOs should be worried about.
“Not only are these medical devices insecure by design, but they also represent a blind spot,” Lerman points out.
“In a best-case scenario, those in charge of protecting hospitals from cyber threats can only see the IP addresses that are not associated with any devices: an IP address that can be that of an MRI machine, a nurse workstation or a PC. In the worst-case scenario, they don’t even see the IP address.”
The starting point for CISOs looking for a solution is to unveil the blind spots by leveraging available technology to automatically map and list the existing devices on their networks, he says.
Once they gain the visibility and know what’s what, they can start taking control to remediate the risks by taking preventative measures to reduce the attack surface associated with IoMT ecosystem. Those include automated visibility into connected medical devices, ongoing risk assessment, anomaly detection and network segmentation.
The U.S. Food and Drug Administration (FDA) and the Office of Civil Rights (OCR) have come up with some security directives to protect medical devices, but they haven’t been strictly enforced.
Steps that healthcare organizations can immediately take include close collaboration between IT experts who understand enterprise security and biomedical engineering professionals who are familiar with medical devices, and negotiating the ongoing support terms with medical device manufacturers during the procurement process (e.g., the service level agreement should include timely provision of patches for known vulnerabilities).
The former is already happening, Lerman says: one of the latest trends in the industry is an emerging position of Medical Device Security Engineer (MDSE).