Medical devices are an open back door to healthcare cybersecurity - How can we change this?

Written by Richard Staynings, Chief Security Strategist for Cylera

Medical IoT was never designed to be secure from online threats. A scary thought given recent research by Juniper predicts that the number of IoMT devices in smart hospitals will exceed 7m in just three years.  

This network of physical things was invented to perform simple tasks repetitively. Like a programmable logic controller (PLC) for example, designed to open and close a lift door millions of times during its lifespan; not to prevent cybercriminals from entering your network. Neither was its architecture extensible and built for future updates and enhancements like a PC or Mac is. This means that even if a security patch or newer operating system is available for a user to install, it’s highly unlikely that the IoT device will be able to run the update. Simply put, IoT is disposable, difficult to patch and inherently insecure.  

It's no wonder then that there’s heightened security concern over IoT in healthcare settings, especially as we see its growing use increasing the cyber-attack surface. In hospitals today, three-quarters of IP connected assets are now unmanaged by hospital IT, and the vast majority of these, are medical and other IoT devices. This could range from diagnostic systems like X-ray, CT, PET, and ultrasound, to radiotherapy and chemotherapy systems, to network connected infusion pumps delivering life-critical drugs. Or patient monitoring systems for O2 saturation, pulse, heartbeat, blood pressure and other vitals. Then not forgetting the critical hospital building management systems like HVAC, used to manage positive and negative airflow to keep ORs clean and disease free, and infectious patients from spreading airborne pathogens throughout care facilities to the elevators essential for moving patients between floors, to security cameras and the electronic door locks to keep parts of the building secure. The list goes on.  

Today there is an endless number of IoT systems connected to hospital networks, providing a potential back door for cybercriminals to enter and cause significant disruption.  

Although things are changing slowly, IoT is largely unregulated. It's reported that authorities are driving forward improvements in IoT security in Britain and EU but that European manufacturers are not keeping up. There is still no ongoing requirement for manufacturers to undertake a cybersecurity risk analysis or disclose any potential security vulnerabilities on their products. 

Recently, the IoT Security Foundation (IoTSF) revealed that very few IoT manufacturers share their vulnerability disclosure policy (VDP), which is despite independent security researchers relying on this to know how to safely communicate any product vulnerabilities.  Alarmingly as many as 73% of IoT device manufacturers fail to comply with imminent UK security rules and in previous years the IoTSF has openly criticised the high percentage of manufacturers failing to support “the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed”. 

Yet, organisations that are non-compliant with Britain’s IoT product security requirements could face fines of up to £20,000 ($24,800 USD). 

Organisations simply cannot afford to rely on manufacturers to report on vulnerabilities on their IoT devices, which sit on their network. With so much IoT connected today, device owners including Heads of IT, security and facilities must have the tools to enable them to be proactive with their cybersecurity, to know where all their assets are and the risk that each one of them poses – and this means having excellent visibility of their infrastructure. A solution that carries out network traffic analysis leading to accurate device identification, and informed vulnerability risk and threat analysis. 

From our own solutions and experience, the network analysis will uncover a large proportion of undiscovered connected and IoT devices. Create a “digital twin" of these devices to enable real-time packet-level analysis of device behavior, using a system that doesn’t disrupt operations or physically interact with the device. 

Not all IoT devices pose a security risk to the network, but those that do need to be addressed and where possible, remediated. In most cases this means locking down risky devices following the principles of ‘Zero Trust’ by using software defined networking (SDN) tools and network access controls (NAC), many of which are already owned and implemented by trusts. 

The challenge with these tools is that an accurate network communication profile for each device needs to be created and validated first. Multiply this by the hundreds of thousands of risky devices across a hospital trust and you’re looking at needing a small army to create those profiles manually.   

Some cybersecurity solutions can automate this process, but it shouldn’t stop there. Systems should be able to report anomalous activity to security operations tools in the SOC (security operations centre) for SIEM (Security Information and Event Management). Given the speed at which cyber-attacks take place today speed is of the essence. So is automation.  

To defend against today’s sophisticated and ever emerging online threats requires a proactive cybersecurity approach and lighting reactions and this means complete visibility, discovery, and inventory management across your entire network.