- The benefits of connected medical devices outweigh the risks.
- While healthcare organizations know what steps they must take to secure these devices, the right precautions aren’t taken
- too often.
- Security deficiencies include lack of network segmentation, poor implementation of encryption and protocols.
While there are stark security concerns with connected medical devices, that’s not stopping their adoption. The benefits of connected devices are just too great. Connected medical devices help hospitals run more effectively, patients to track their care, and healthcare providers can keep continuous tabs on their patients.
As we covered in As we wrote in Healthcare Security: How To Deploy IoT Securely, the healthcare internet of things IoT market is expected to reach $543 billion by 2025 — at an annual growth rate of roughly 20%. Research firm Gartner pegs healthcare IoT growth in 2020 at 29%.
Still, as we’ve covered over the years in our posts Connected medical devices at risk, a top target for future malware attacks hit dozens of NHS hospitals and medical devices in the U.K. and a number of facilities in the U.S. Later that year, the U.S. and FDA Faced Medical Device Security Woes and began pressuring medical device manufacturers to build security into their product design.
When it comes to securing these devices, healthcare providers know what steps they must take, but unfortunately, they are reluctant to take them. According to a new report from security vendor Forescout, healthcare providers don’t do what they need to do. Forescout analyzed multiple large healthcare delivery organizations’ traffic to see the maturity of their networks and analyzed more than 3 million devices.
According to the report, 90% of segments with a medical device have a non-medical I.T. device, and 60% have non-medical IoT devices on their networks. The report also found clear-text exposure of patient info, default passwords being used.
The good news was researchers identified a decline in the percentage of endpoints that were running unsupported operating systems, from 71% in 2019 down to 32% this year. While that was the good news, there was plenty of bad news.
Perhaps the most important and unfortunate news was the lack of segmentation. The researchers found that all segments that contained a connected healthcare device, 60% contained devices not directly related to delivering care. We also observed that 90% of healthcare segments have a mix of healthcare devices and I.T. devices. These devices might contain vulnerable software or targeted malware, which can make other devices on the same segment susceptible to infection as well,” according to their statement.
Not surprisingly, the bane of effective security, poor credential management also reared itself in the research. The researchers found patient monitors and CT scanners secured with default credentials on the same segments as other IT and IoT equipment.
Unencrypted communications and poor protocol configurations also weighed heavy on the report. In most healthcare providers evaluated, researchers identified communications between public and private IP addresses, using the medical protocol (HL7) to send sensitive medical data, including patient PII, in the open. The researchers found other poorly configured protocols, including older versions of Transport Layer Security protocols. “More worryingly, we found instances of Telnet in over half of the HDOs. The clear-text, unencrypted Telnet protocol was designed in 1969 and has long-since been replaced by SSH,” the said.
Here are the recommendations from the report:
- Legacy devices and operating systems. Accurate identification and classification of medical devices running legacy operating systems are paramount for risk mitigation. Devices that cannot be retired or patched should be segmented appropriately to restrict access to critical information and services only.
- External communications and exposure. Network flow mapping of existing communications is not just a prerequisite for designing effective segmentation zones. It also provides a baseline understanding of external and internet-facing communication paths. This can help identify unintended external communications and prevent medical data from being exposed publicly.
- Insecure and unencrypted protocols. Start with a network flow mapping project to identify protocols in use. Whenever possible, switch to using encrypted versions of protocols and eliminate insecure, clear-text protocols such as Telnet. When this is not possible, use segmentation for zoning and risk mitigation.
- Default, weak, or hardcoded passwords. Identify and remediate weak and default passwords. A single weak link on a network segment can compromise the entire segment. If hardcoded passwords cannot be remediated, leverage segmentation for zoning and isolation.
- Effective segmentation. Segmentation can be used as a compensating control and risk mitigation technique for all of the above scenarios. It is also a best practice for compliance, limiting lateral movement, and reducing the blast radius of attacks. While there is increasing awareness of the benefits of segmentation, examples of over-segmentation, under-segmentation, and poorly designed segmentation zones abound. Start by accurately identifying devices you want to segment by business context and understanding existing network flows between device groups. Then design appropriate zones and access policies to gain the positive security outcomes of segmentation.
The healthcare industry is making tremendous changes, including significant investments into connected medical devices and IoT because of the improved efficiency and care delivery that can be achieved through advances in small microchips, wireless connectivity such as 5g, and data benefits analytics make the investments worthwhile. But not at the expense of security. And security vulnerabilities are a wound the industry better start suturing [chk] up soon.