Healthcare organizations are facing an unprecedented level of cybersecurity risk. Within the first nine months of 2022, there have been more than 18,000 reported vulnerabilities – more than 600 new vulnerabilities per day. Research has shown that it takes an organization an average of 205 days to patch a vulnerability – more than six months. However, cybercriminals are weaponizing these vulnerabilities into zero day attacks in just three days. Is it any wonder that healthcare organizations are experiencing a record-breaking number of breaches?
Digital transformation trends, such as the internet of things (IoT), the internet of medical things (IoMT) and IT/OT convergence are enabling healthcare providers to deliver more efficient services, but they have also dramatically increased their attack surface. The correlation between a record-setting number of vulnerabilities and breaches should be a sign that healthcare organizations need to be more proactive about risk management, but that isn’t even half of the problem.
FDA regulations, which require medical device manufacturers to disclose and patch vulnerabilities, can often be discouraging for manufacturers due to the arduous review process. Likewise, even when a patch for a medical device is released it can be a time-consuming and expensive process to deploy; often requiring the healthcare organization to pay their vendor to send an engineer on-site. And even still, some IT departments may be reluctant to patch too quickly out of an abundance of caution for causing downtime or an outage to some critical care devices. Often, though, health delivery organizations will subscribe to vendor services for ongoing maintenance and patching.
When it comes to these medical device vendors, who watches the watchmen? When it comes to healthcare organizations, who owns the risk? These are important questions to consider in the face of independent cybersecurity research.
Access:7 – Supply Chain Vulnerabilities Enable Unauthorized Access to Medical Devices
In March 2022, Vedere Labs published Access:7 a cybersecurity research report that identified more than a half dozen vulnerabilities that affected more than 100 device manufacturers. These vulnerabilities were related to Axeda, a remote access and management solution for connected devices, which had been integrated into more than 150 different medical and IoT devices – predominantly impacting healthcare organizations.
Access:7 serves as a reminder of the sort of supply chain risks that can emerge as a result of one vendor integrating vulnerable software from another vendor. It can be very difficult for an organization to get visibility into these risks, which is why the Biden Administration is advocating for vendors to provide a software bill of materials (SBOM) – essentially an “ingredients” list of software components. But even an SBOM is not a silver bullet. Organizations still need to maintain visibility into their own environment to understand their risk.
Unfortunately, cybersecurity research like Access:7 also demonstrates how many vendors turn a blind eye toward these vulnerabilities. Over the past few years, Vedere Labs has published many pivotal cybersecurity research reports focused on a variety of critical vulnerabilities. Throughout this process, Vedere Labs has always engaged in responsible disclosure with government agencies, such as CISA, and the affected vendors. Yet it has frequently been difficult to identify who, how or where to disclose these vulnerabilities to these vendors, communication often went unanswered and vendors have been slow to publicly acknowledge these vulnerabilities.
Although cybersecurity researchers may be stymied by a seemingly intractable problem communicating with these vendors, healthcare organizations that are paying these vendors must hold them responsible.
Remediate the Problems You Can Fix; Mitigate the Problems You Cannot
Ultimately, healthcare organizations are responsible for their own risk. As digital transformation has created complex IT/OT environments that span IT systems, medical devices and IoT devices, such as security cameras, HVAC, and building automation systems there may be multiple stakeholders across multiple departments that need to share this responsibility.
The good news about risk management is that the little things can make a big difference. That means embracing the fundamentals. Developing an asset inventory, discovering and remediating misconfigurations and patching vulnerabilities will go a long way to reducing risk, but at what cost and speed? Of course, there are always some risks that can’t be remediated, such as legacy devices that can’t be patched, in which case organizations should prioritize mitigation techniques to minimize the attack vector. Proper segmentation of medical assets is one of the single best ways to mitigate and reduce the most amount of risk. Just looking at vulnerability management is not enough. For example, if a critical medical asset has a critical vulnerability on it, but the device has been properly segmented and cannot be reached to exploit the vulnerability, then the reality is the risk is low and we should be paying more attention to other assets which can still be exploited.
Here is a three-step checklist that healthcare organizations can use to prioritize the risk of their medical devices:
- Asset Criticality – What is the importance of this device to healthcare delivery? For example, if an infusion pump is tampered with to change the dosage being dispensed or is taken offline, this could have fatal consequences.
- Dominant Risk – What is the highest potential impact to your organization? For example, an outage of all your imaging systems could result in hundreds of thousands of daily dollars of lost revenue.
- Auxiliary Risk – What is the surrounding exposure of the attack surface? For example, can an attacker move laterally to and from this asset?
The Importance of Visibility
Just like a doctor wouldn’t operate without first taking images, visibility is a critical component of managing risk. These capabilities enable organizations to discover their assets with the context needed to prioritize risk remediation and mitigation actions. This sort of preventative medicine can be worth a pound of cure.