Physician, Heal Thyself: Treating Medical Device Vulnerabilities
Healthcare organizations are facing a unique cybersecurity affliction. The rise of ransomware attacks against healthcare organizations, record-setting breaches and the widespread vulnerabilities associated with medical devices are symptomatic of an underlying condition: medical devices are challenging to protect. This challenge extends to both medical device manufacturers and cybersecurity practitioners alike. Consequently, cybersecurity practitioners need to engage in their own form of preventative security controls to mitigate the growing risk of attack to healthcare systems.
Although connected devices (i.e., IoT devices) have increased the attack surface of organizations across every industry, the healthcare industry is particularly susceptible to cyberattacks because of the insecure nature of connected medical devices (i.e., IoMT devices). Both IoT and IoMT devices are at risk from a variety of CVEs, supply chain/third-party vulnerabilities, and insecure-by-design practices, which should not be overlooked.
However, connected medical devices face additional challenges. Regulatory compliance makes it difficult for medical device manufacturers to publish patches without arduous review cycles. But even when patches are produced, medical devices are mission-critical, proprietary and decades-old, making it difficult to update them. Despite this challenge, such devices must be protected because they are an attractive target for cyberattack, either as an initial foot in the door or the ultimate target for disruption.
The Rise of Ransomware Attacks and Record-Setting Breaches
According to data from the Department of Health and Human Services (HHS), the number of healthcare-related breaches has more than tripled over the past decade – since 2015 this growth is almost solely attributed to hacking and IT incidents, which is almost certainly correlated to the rise of ransomware attacks.
Throughout the pandemic, healthcare organizations have also been grappling with a ransomware epidemic. The healthcare industry was among the first to be hit with a targeted ransomware campaign, the FBI warned in October 2020. According to the Identity Theft Resource Center, ransomware attacks doubled in 2020 and doubled again in 2021.
This increase in ransomware attacks and breaches seems to be directly correlated to the increase in vulnerabilities.
Widespread Vulnerabilities in Medical Devices
According to the National Institute of Standards and Technology (NIST), both the volume and severity of software vulnerabilities has been growing over the past decade, again with a particular spike around 2015. These vulnerabilities are not limited to connected devices, but rather speak to the greenfield of vulnerabilities for attackers to exploit.
There are many examples of vulnerabilities that specifically affect medical devices that have emerged over the past few years. For example, Forescout revealed how supply chain vulnerabilities in a remote access agent left more than 75 medical device models vulnerable to unauthorized access and remote code execution.
Project Memoria analyzed more than 100 vulnerabilities affecting more than 500 vendors and found that only 95 out of 422 vendors had published any public advisory, either by acknowledging the vulnerabilities or showing how they were not affected. Turning a blind eye to these vulnerabilities is like a sick person that refused to visit the doctor.
An Ounce of Prevention is Worth a Pound of Cure
As mentioned, patching medical device vulnerabilities is a unique challenge, either because of a time-consuming FDA review process or because of the complexity of updating decades-old and mission-critical machines. Therefore, cybersecurity practitioners in healthcare organizations need to enforce mitigation techniques when remediation is not possible.
Visibility into network devices and network traffic is one of the most valuable features for protecting vulnerable medical devices. Think of visibility into network devices similarly to how an X-ray reveals fractures – showing current posture and weaknesses so that we can reinforce and support these weak points with granular policies and security controls.
Visibility into network traffic is also like an EKG or patient monitor because it provides the ability to detect anomalies. For example, if you know a network device is vulnerable to a certain condition, then you can monitor network traffic to detect packets that might exploit that condition, so that policy enforcement engines can block it. It would be an exercise in futility to develop cybersecurity enforcement policies without visibility into all network devices.
Network segmentation is another great mitigation solution. It is good cyber hygiene to restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched. Segmentation has also the added value of reducing the blast radius in case of an infection, limiting the spread to a small part of the network.
Network monitoring solutions are effective at providing the sort of visibility required to implement effective segmentation policies and protect medical devices on an automated and continuous basis, just like many of the medical devices that they ultimately protect monitor patients. In this way, cybersecurity practitioners can treat many healthcare-specific ailments, just like the age-old adage, “physician, heal thyself.”