The topic of this week’s Cybersecurity Awareness Month is Securing Internet-Connected Devices in Healthcare. With all the healthcare concerns we have this year, the last thing we want to happen is a breach of a vital system that further endangers anyone’s health. German authorities are already investigating a death caused by a breach at a hospital. And one of the largest healthcare providers in the US recently experienced a breach. But both of these were human error that released malware on the network. So why should we be concerned about the security of Internet-Connected devices?
What Are the Dangers Associated with Internet Connected Devices?
Third Parties
To start with, they are often connected to third parties. I was personally affected by the Target and Home Depot breaches. Both of these were the result of third parties not being secure. And the Target event was due to their A/C thermostats being compromised from the third party companies side. Since these devices were on the same network as their cash registers, the bad actor was able to compromise the thermostat, and then take their time mining all the information they wanted.
Unlimited Network Access
Speaking of network segmentation, Security is usually more trusting of connections inside the firewall than outside. When a device is connected to the internal network, all forms of communication are permitted and routers are more than happy to pass traffic to any requested address no questions asked. Add to that the fact that many networks are not segmented in different trust levels and once an internal device, whether a PC or an IP camera, is compromised the bad actors are free to move about the network.
Coders
Now, I’m not saying that all programmers are bad. Generally though, security is an afterthought for them. The Uber breach was caused by a server’s admin password being saved in plain text on GitHub. When it comes to Internet-Connected devices, here is an article where an IP door lock was able to be reprogrammed because the developer imported the API for all home automation and did not shut off the parts not associated with a door lock. Hackers were able to use their app to take control of other devices and even give themselves an unlock code to the front door if anyone who had that app installed on their phone.
What Healthcare Devices are Connected?
The Internet of Things (IoT) has opened up a world of possibilities in medicine: when connected to the internet, ordinary medical devices can collect invaluable additional data, give extra insight into symptoms and trends, enable remote care, and generally give patients more control over their lives and treatment.
Econsultancy Article
We are utilizing “Wearables” every day. FitBit and Apple Watch add on every new version the amount of health data they collect. But, what about insulin pumps? OpenAPS or Artificial Pancreas System offers type 1 diabetics the ability to create their own basic closed loop APS technology for anyone with compatible medical devices and is willing to build their own system. How about ensuring people take their medication? Proteus has the first FDA approved swallowable sensor that checks your stomach when you take your medication and sends a notification to a smart phone app that confirms that you are taking your medication as prescribed. And the list goes on. Imagine some bad actor gaining access to any of these devices. And IV pumps, hospital beds, cardiac monitors etc. are all being developed.
Aren’t Healthcare Providers Safe?
Besides the two incidents linked above, healthcare providers still seem to be a popular target for hackers. Third party vendors and phishing campaigns seem to be the way in the front door, but once they are in the world is their oyster. According to Forescout 39% of healthcare IoT systems and 53% of common medical devices are still using legacy systems like Windows 7.
In fact, by 2020, 70 percent of all healthcare devices will be operating on Windows systems, which will no longer be supported by Microsoft beginning January 14.
Forescout
Clearly the healthcare IT departments have their hands full. In many hospitals, management of these devices doesn’t fall under IT. Luckily this is changing and changing quickly. But as CSO and CISOs start dealing with the devices, what should they do?
What Can Be Done to Ensure They Are Safe?
Segmentation
As mentioned previously, these devices should be treated as untrusted and segmented into their own network. Then, rules should be applied permitting only the IP addresses that need to communicate to do so and only on the ports they need to communicate on. Diligence is required to ensure that your insulin pump isn’t trying to download your user accounts from Active directory
Infrastructure Analytics
Programs that watch behavior of devices should be deployed. They can see when the IoT devices are performing functions or trying to connect to places they shouldn’t be.
Patching, Patching, and more Patching
It’s been said many times, but it cannot be said enough. Ensure your systems are patched to the latest firmware or security patch. When a patch is released, make sure you understand what is needed to correct the issue. It may require other actions besides applying the patch
Training
Just like patching, it can’t be said enough that user error is the biggest cause of breaches. Training the staff on how to operate the devices safely and securely. Win them over to your security team and they can be your best ally
Conclusion
There are significant challenges currently to internet connected healthcare devices. Recognizing the challenges and having a plan to overcome them is the most important part. Now is the time to start working on that plan. More devices are connected every day. And with the sensitive nature of the information that can be compromised actions must be swift and secure. When the medical device itself can be compromised, that has further reaching implications.