– It’s been long established that the healthcare threat landscape, in terms of its prime targeted nature and the vast number of connected supply chain vendors and medical devices, poses an equal amount of risk and network security challenges.
What was already an overextended issue became vastly daunting amid the national emergency declaration brought on by COVID-19. At the same time, threat actors ramped up targeted attacks against the sector.
Healthcare delivery organizations quickly scaled implementations of technologies designed to support the response, including telehealth platforms, new fleets of medical devices, and other patient support technologies.
This includes temporary care sites and labs, along with troves of connected devices and telehealth platforms desperately needed to adequately support patient care. While crucial, these devices further expanded an already over-extended hospital threat landscape.
Richard Staynings, chief security strategist for Cylera, confirmed that telemetry data shows that COVID-19 brought on a massive increase in the use of CT scanners and patient telemetry systems, such as blood pressure cuffs, EMRs, airflow machines, and similar technologies.
These vulnerable technologies extend beyond traditional medical devices to the tools needed to mitigate the spread of the virus within the hospital. For example, airflow devices designed to remove germs and other communicable diseases from the hospital.
Data show that the optimization of medical technologies has increased more than 20 percent over normal levels amid the response. At the same time, the nursing shortage has been exacerbated by the pandemic, leading to an increase in tools to monitor patients at the bedside.
Further, caring for COVID-19 patients forced some hospitals to pull patient support technologies out of the room, to allow fewer interactions at the bedside and reduce the chances of spreading the virus.
“In the rush to keep up with the rising demands on healthcare during the pandemic, many healthcare delivery organizations quickly onboarded a host of devices,” said Azi Cohen, CEO of CyberMDX. “While it was 100 percent necessary to move so quickly to keep up with growing demand on medical services and provide patients with lifesaving care, unfortunately in many cases security onboarding processes were moved to the backburner or skipped altogether.”
“This reality, although necessary from a patient care perspective, has created unmanaged risk to patient safety, personal health information confidentiality, and the overall clinical network,” he added. “The lack of proper onboarding creates a number of question marks where security is concerned.”
Medical device security has always proved challenging, even amid these heightened risks. The question has always been: How can providers and device manufacturers work together to better communicate and shore up these critical risks to patient safety?
Staynings and Cohen broke down the key issues and best practices for HealthITSecurity.com, in hopes that healthcare delivery organizations will understand the need to prioritize the security of IoT, medical devices, and patient support technologies and keep access to these technologies out of the hands of attacks.
Rob Suárez, vice president and CISO of BD also shared a vendor’s perspective on the need for transparent disclosures to support providers in these critical efforts.
Key Challenges and Security Reassessment Recommendations
A recent Masergy survey of IT leaders named medical device security as the leading IT challenge healthcare entities are facing under the current landscape. Nearly all healthcare organizations have seen a serious increase in network traffic in the last year, given the surge of remote healthcare and increased use of IoMT devices.
The expanded inventory of devices further exacerbated the inherent risks: many of these platforms use legacy operating systems and have vulnerabilities that sometimes just can’t be patched.
For example, TCP/IP stacks, foundational elements of millions of IoT and IT devices, are riddled with security flaws easily exploitable by attackers. A successful hack could allow for remote code execution, data loss, or patient safety risks.
“Devices can’t be equipped with tools to prevent malware, and you can’t lock them down in the way you could with a laptop or workstation,” Staynings said. “It’s also not straightforward to patch the devices because of the complexity of vendor relationships that watch and service these devices.”
But the real challenge is that the devices are managed by IT, which means the security team doesn’t have much visibility into the risk they present to the overall network—unless the hospital leverages automated scanning or risks assessments, Staynings stressed.
The rapid adoption of telehealth solutions in the past year has added to these risks. Cohen explained that many of these solutions were placed onto devices that did not employ proper Mobile Device Management (MDM) solutions.
As these devices now carry PHI and there are huge visibility challenges into their condition and control of the data, these devices carry an equally critical risk, he added.
Staynings noted that perpetrators are seeing the interoperability of the sector as an easy way to compromise a hospital or healthcare network. As such, they’re actively scanning for medical devices.
Data upholds that nation-state actors are looking to attack devices using the DICOM port: a key tool for viewing medical images from the Picture Archiving and Communication System (PACS), explained Staynings.
However, these technologies are riddled with flaws, with a range of US healthcare providers leaving millions of medical images exposed online. And a majority (80 percent) of devices operate using legacy platforms that are no longer supported, including Microsoft Windows XP.
The trouble is that the devices are designed to operate for 15 to 20 years, and as long as they keep working, “it’s financially unjustified to replace perfectly working devices,” said Staynings. As a result, these devices are kept in operation despite operating on vulnerable systems.
These issues are further compounded by hospitals and those tasked with managing devices not responding quickly enough to patching and system updates because of how organizations are structured.
Some vendors have also been slow to test and assess patches, then communicate to providers that these updates are available.
“These are simple questions that, had the right amount of time been devoted to onboarding each device, would have been answered before the deployment,” Cohen added.
Medical Devices Reassessment and Visibility Needs
One of the key issues with medical devices within the healthcare enterprise network is that far too often, administrators are both unaware of the precise number of devices operating on the network at any given time and just who is connecting to these devices and the network through the web of devices.
In one example, Staynings shared that during an assessment of one hospital, he found 30,000 connected devices operating on the network. About 17,000 of those devices were missing a security patch and thus, posing a serious security risk.
As such, visibility into the entire fleet of medical devices is one of the first most important steps to reassuring that newly implemented and established devices are secure, Cohen explained. It’s impossible to protect something if the administrator does not know it exists.
Security leaders must perform a complete and accurate inventory, which will allow selected security solutions to begin extending network security controls over the devices and analyze the state of all newly implemented devices.
The next steps should include reaffirming that the most obvious threat actors are eliminated, which must include ensuring devices have passwords and authentications, known vulnerabilities are patched, anti-malware tools are employed, and unnecessary ports are closed, Cohen added.
“It’s important to say that while experts in medical care, doctors, nurses and hospital administrators are not cybersecurity professionals, nor should they be expected to be,” Cohen said.
“Establishing visibility and ensuring continuous device security is difficult and requires constant vigilance, and medical professionals should not be expected to provide the high level of patient care desired, while also worrying about the cybersecurity implications of adding new devices,” he added.
To better support these efforts and reduce the burden, hospitals need to implement cybersecurity solutions that can better establish end-to-end visibility onto the network and monitor for potential intrusions, he explained.
Inventory Management Best Practices
CyberMDX research shows an average of 30 percent of devices are routinely lost from the network, which poses massive issues for the teams tasked with securing the fleet.
Even a small hospital can still operate with more than 150 families of devices, which can total thousands of devices. Cohen explained that it would be nearly impossible to keep up with every single vulnerability through a manual process.
“As proper cybersecurity is a never-ending 24/7 effort, the first key is automation. With the size of modern medical networks, security teams struggle to keep up with the thousands of devices moving about the hospital and going in and out of service on a daily basis,” Cohen said.
“Today we have the technology to automatically inventory network devices, assess their security posture and bring them into compliance,” he continued. “We can do this by detecting and remediating issues on the device itself and by putting layers of protection around the devices either on the network or on the perimeter level – to mitigate issues that can not be remediated.”
Staynings confirmed that automation should not be an optional process for medical devices, given the scale of deployment and estimates that show the number of connections within a hospital network will only continue to rapidly expand into the foreseeable future.
Automation can extend to creating profiles for endpoints, configurations, all user profiles, monitoring, and other elements needed to support a Zero Trust approach, he added.
Once an organization has developed a thorough inventory and process, administrators must then prioritize which devices and vulnerabilities are most critical and move down the list of devices, he added.
In the hospital setting, this means a deep clinical context based on each device, its patient safety classification, and the role it plays in care workflows will be crucial to prioritizing and mitigating key issues.
To Staynings, medical device security and these needed technologies require prioritization by senior healthcare executives.
A Vendor’s Perspective
In August 2018, a MedCrypt report showed there’s been a 400 percent increase in the number of vulnerabilities disclosed each quarter since the FDA released its medical device cybersecurity guidance.
While the spike may appear alarming, it’s actually a positive move in the right direction for securing the medical device infrastructure. BD has been one of the vendors leading in disclosures, which Suarez stressed is part of the vendor’s goals to bolstering transparency and supporting providers in this key security area.
“There is a patient at the end of everything we do,” he explained. “When looking at security, as a company, we apply that philosophy: protecting healthcare and making healthcare more resilient; and protecting the patient’s privacy and safety.”
“We approach medical device security that elevates security to a patient safety issue,” Suarez added. “We have this organization dedicated to cybersecurity at BD, including IT infrastructure and protecting supply chain, manufacturing and distribution capabilities.”
As medical technologies leverage software designed by humans, there will always be bugs and defects, said Suarez. So when it comes to disclosures, the goal is to provide transparency on the risks of medical devices and communicate those issues to customers.
Providers can’t protect what they don’t know about, so if a vendor fails to communicate those risks to customers about discovered flaws, they won’t be able to protect their enterprise or the patients they serve, he explained.
One of the best ways to communicate these risks is through the H-ISAC and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. Suarez noted that the collaboration between these key stakeholders makes it easy to broadly communicate risks to the community.
All vendors and manufacturers need to adopt a similar approach to communicating risks, as human-designed technology will always come with fundamentally fallible elements. It’s also a sign of care and transparency to customers, especially when it comes to sharing tough issues.
“I don’t think vulnerability sharing should be taboo or frowned upon,” Suarez said. “A vulnerability disclosure shows maturity in an organization’s ability to understand new cyber risks, create mitigation steps, and communicate those needs to customers.”
“Medical device risk is not going to end until we all understand that technology has defects and issues, and communicating those risks are just a necessary next step,” he added. “Cyberattacks will always happen. It’s not only about mitigation or incorporating a securing tool: There has to be a broader approach to building resilience into the healthcare environment.”