Field battle tactics for reducing security risks of medical IoT – Technologist

IoT devices make our lives easier. For example, smart home technologies can optimise energy consumption conveniently by allowing us to turn household appliances on and off with a touchscreen or remotely with our smartphones.

Likewise, organisations across all industries have also rapidly adopted IoT to improve operational efficiency. However, IoT devices can be one of the weakest links in an IT network.

Why?

• IoT devices are often built on outdated software and legacy operating systems that may be vulnerable to attack.
• IoT devices are increasingly collecting and storing vast amounts of data which makes them an attractive target for cybercriminals.
• IoT devices serve as an easy entry point for attackers looking to move laterally across an IT network and gain access to more sensitive data. Alternatively, such devices could be attacked directly and shut down with highly disruptive effects.

The healthcare industry is one industry that has moved towards the Internet of Medical Things (IoMT) in a big way.

By some estimates, 87% of healthcare organisations will have adopted IoMT by the end of 2019 and there will be almost 650 million IoMT devices in use by 2020.

Take ultrasound machines for example. Ultrasound technology has made huge advancements over recent years to provide patients and doctors alike with detailed and potentially lifesaving information. Unfortunately, these advancements have not moved in tandem with IT security in which these machines sit, are now connected to and transfer images within.

Check Point Research recently highlighted the dangers this could pose by getting their hands on an ultrasound machine and investigating what takes place under the hood. They discovered the machine’s operating system was Windows 2000, a platform that, like most other IoMT devices, no longer receives patches or updates and thus leaves the entire ultrasound machine and the information it captures vulnerable to attack.

Due to old and well-known security gaps in Windows 2000, it was not difficult for our team to exploit one of these vulnerabilities and gain access to the machine’s entire database of patient ultrasound images.

Video Demo of Hacking an Ultrasound machine

The Financial Motivation for an Attack

Cyber-attacks on hospitals occur on an almost weekly basis. One example is that of a ransomware attack on the Melbourne Heart Group which saw the hospital’s data scrambled by hackers and held to ransom. Other significant attacks seen include Singapore’s SingHealth which suffered a massive data breach that saw the Prime Minister’s health records stolen followed by 1.4 million patient records stolen from UnityPoint a few weeks later. In addition, May 2017 saw the massively disruptive WannaCry attack that caused 20,000 appointments in the UK’s NHS to be cancelled and over £150 million spent on remedying the attack. Interestingly, it was unpatched Windows systems that lead to such damage.

However, it is primarily not mass disruption that motivates cybercriminals to target the healthcare industry. Due to the vast amounts of personal information that hospitals and other healthcare organisations store and transfer electronically, these institutions make for attractive targets to attack. This valuable data can be used to obtain expensive medical services and prescription medications, as well as to fraudulently acquire government health benefits. It is no wonder then that this information can fetch as high as US$60 per record on the Dark Web.

Although there is numerous media mention describing the personal danger of cyber-attacks to patients, the financial damage is far more realistic and is what lies at the heart of cyber-attacks on the healthcare industry.

According to the Ponemon’s Cost of Data Breach Study, at US$408 per health record, the healthcare sector demands the highest cost by far to remedy a data breach. This stands in contrast to the average of US$225 per record paid by other organisations. These costs include fees to investigate and repair the damage caused by an attack as well as paying fines or ransoms or any stolen funds themselves. Attacks can also result in a loss of patient records and information as well as cause long-lasting damage to the health institution’s reputation.

The IoMT Security Problem

The risk of a cyber-attack on healthcare organisations is huge. Such attacks could lead to the loss and illegitimate sharing of personal data, altering a patient’s medical information regarding medicine, dosages, and treatments, and hacking of MRI, ultrasound and x-ray machines in hospitals.

The critical nature of healthcare environments also means that many stakeholders involved in the healthcare process often require immediate access to patients’ data across a large range of devices and applications. As a result, downtime to update or patch systems is not always an option. In addition, the large range of medical devices from diverse manufacturers is a potential nightmare to not only monitor them but also integrate a security policy that incorporates them all.

From the hospital management’s perspective, downtime to update or patch systems not only affects the operational flow of the hospital itself but can also hit their financial bottom line. Having spent very large amounts on important healthcare equipment, it is vital that management sees a return on their investment by having that equipment up and running in order to be able to cover their costs through claims from patients’ medical insurance policies.

From a regulatory point of view, the inherent vulnerabilities that come with operating healthcare devices, such as a lack of encryption of sensitive data as well as hard-coded or default login credentials, prevent IT professionals from even implementing security patches, should such patches even exist.

Securing IoMT

The above-mentioned security vulnerabilities highlight the importance healthcare organisations must place on their IT security posture. While there are still issues and vagueness when it comes to security protocol standardisation across IoMT devices, there is still much that healthcare organisations can do to protect their patients’ data.

Healthcare organisations must remain alert to the multiple entry points that exist across their network. There can often be hundreds, if not thousands, of devices connected to the IT network, any one of which may contain security vulnerabilities in either the hardware or software used by such devices. Catching every one of these vulnerabilities is impossible, however, so it is essential healthcare organisations have an advanced prevention security solution in place to catch the inevitable attacks that will attempt to exploit these vulnerabilities.

In addition, segmentation can never be overstated. Separating patient data from the rest of the IT network gives healthcare IT professionals a clearer view of network traffic to detect unusual movement that might indicate a breach or compromised IoMT device. Segmentation would also enable these organisations to prevent data stealing or encrypting malware from propagating further across the network and isolating the threat.

Finally, segmentation should also apply to healthcare personnel within the organization with access to those systems provided only to those who require them to carry out their roles.

Best Practices

The benefits that connected medical devices offer cannot be ignored. They provide patients and healthcare providers with potentially life-saving information and enable an efficient way of handling this information.

However, healthcare organisations must be aware of the inherent vulnerabilities of such devices that may escalate their chances of a data breach. Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions while providing another layer of security to network and data protection, without compromising performance or reliability.

Once best practice cyber hygiene is implemented and enforced, IT security teams can rest assured their patients’ records, and in turn, their organisations’ finances and reputation, are safe.