It is widely known that the healthcare industry is a primary target for cyberattack, with increasingly sophisticated and highly-motivated adversaries seeking to exploit both human and technological vulnerabilities more frequently than ever before.
To better defend their networks, systems, and devices from an ongoing barrage of attack techniques, healthcare organizations are increasingly turning to zero trust architecture, which does away with the traditional security perimeter, assuming that every user and every device on the network could potentially be malicious.
Cynerio concludes the three most common threats affecting healthcare organizations today are:
- Ransomware – widely prevalent in connected healthcare environments due to outdated and unpatched operating systems in myriad devices
- Outdated vendor firmware – many devices run embedded operating systems which are even less frequently updated than consumer OS’, and vulnerabilities, such as Ripple20 and URGENT/11, are not well known
- Unsecured services – devices commonly ship with open communications protocols, like Telnet, FTP or HTTP, which are not authenticated and contain vulnerabilities, such as Telnet or HTTP ports with no authentication
Vendor firmware vulnerabilities drive significant risk
Vendor firmware presents a significant risk to healthcare environments, as software code is not often written with security in mind and authentication is weak or nonexistent, and in many cases, credentials are hardcoded.
In addition, data transfer is often based on proprietary communications protocols that are unsecured and unencrypted. Firmware updates are rarely issued by vendors and vulnerabilities aren’t well understood.
There are two prevalent vulnerabilities affecting millions of connected healthcare IoT devices worldwide, URGENT/11 and Ripple20. For background, URGENT/11 vulnerabilities are found in IPnet, a network communications component that is no longer supported by its original developer, yet is incorporated into software applications, equipment, and systems used by a variety of Healthcare IoT and industrial devices.
Ripple20 is a series of 19 critical vulnerabilities, with 4 more recently discovered, in the Treck TCP/IP stack, a software library built into many medical and IoT devices and embedded in third-party components of operating systems. In many devices, Treck is a low-level component and administrators may not be aware it is used on the device.
- 96% of infusion pumps in healthcare facilities were affected by URGENT/11 or Ripple20 TCP/IP stack vulnerabilities
- 63% of infusion pumps, including the commonly used Baxter Sigma model, are vulnerable to Ripple20
- 33% of infusion pumps across Cynerio’s deployments, including the prominent Alaris model, are vulnerable to URGENT/11
If unpatched, URGENT/11 or Ripple20 vulnerabilities can lead to the exposure and theft of electronic protected health information (ePHI), denial of service (DoS) attacks powerful enough to shut down clinical networks, and logic flaws that can interrupt normal device functionality. In other circumstances, adversaries can take remote control of medical and other IoT devices, disrupting clinical workflow and exfiltrating sensitive data from the device or connected systems.
Connected cameras, CT and MRI machines riddled with vulnerabilities
Many connected medical and IoT devices come with communications services that are enabled by default, such as Telnet or SSH terminal access, open HTTP ports, FTP servers enabling remote file upload/download, and VNC servers enabling remote control access—all of which pose a significant threat to healthcare organizations.
Researchers recently found that eight significant managed service vulnerabilities proliferate across healthcare organizations, including:
- 58% of attendance clocks across its deployments were being managed with basic HTTP authentication and default passwords, or with the same password shared across multiple clocks
- 25% of IP cameras in one hospital system were being managed with basic HTTP authentication, with credentials shared between all cameras
- More than 50% of servers in radiology ecosystems run a vulnerable service, such as HTTP, FTP, or SSH
- 50% of picture archiving and communications systems (PACS) and radiology information systems (RIS) servers are impacted by vulnerable services
- 25% of mammography machines were found to run an outdated IIS or OpenSSH service, with many running OpenSSH_6.0, which was released almost ten years ago
- 15% of MRI machines were found to be vulnerable to OpenSSH services, including the 15-year-old OpenSSH_4.2 service
- More than 40% of computed tomography (CT) machines across its deployments are managed unsafely by technicians, potentially exposing credentials and classified patient data in cleartext
- 33% of CT machines use default passwords providing backdoors into clinical networks
With thousands of devices in an average hospital, it is infeasible for IT and security teams to manually test every device to discover open services, and traditional network scanning tools often cannot recognize these devices as medical devices. In some cases, scanning can interrupt their clinical operation.
However, unmanaged service vulnerabilities provide threat actors with easy access to live video streams of hospital activity, jeopardize the safety of the hospital, and compromise patient privacy.
It can also unintentionally expose large quantities of ePHI to unauthorized users and threat actors, impact the operational and business continuity of affected departments and expose ePHI in the form of photo and video images.
Zero trust for healthcare to the rescue
Adopting a zero trust architecture enables healthcare organizations to significantly reduce the risks of ransomware, outdated vendor firmware and unsecured services by:
- Configuring policies to block unnecessary communications with healthcare IoT devices
- Segmenting the network to contain attackers to a specific segment
- Hardening services running on connected medical and IoT devices to reduce their security impact
- Quarantining infected devices to prevent a breach from spreading