The topic of this week’s Cybersecurity Awareness Month blog is Securing Internet-Connected Devices in Healthcare. With all the healthcare concerns we have this year, the last thing we want to happen is a breach of a vital system that further endangers anyone’s health. German authorities are already investigating a death caused by a breach at a hospital. And one of the largest healthcare providers in the US recently experienced a breach. But both of these were human error that released malware on the network. This blog post is to inform you on why we should be concerned about the security of Internet-Connected devices.
What Are the Dangers Associated with Internet Connected Devices?
Third Parties: To start with, they are often connected to third parties. I was personally affected by the Target and Home Depot breaches. Both of these were the result of third parties not being secure. And the Target event was due to their A/C thermostats being compromised from the third-party companies side. Since these devices were on the same network as their cash registers, the bad actor was able to compromise the thermostat, and then take their time mining all the information they wanted.
Unlimited Network Access: Security is usually more trusting of connections inside the firewall than outside. When a device is connected to the internal network, all forms of communication are permitted so routers are more than happy to pass traffic to any requested address no questions asked. Add to that the fact that many networks are not segmented in different trust levels and once an internal device, whether a PC or an IP camera, is compromised the bad actors are free to move about the network.
Coders: Now, I’m not saying that all programmers are bad. Generally, security is an afterthought for them. The Uber breach was caused by a server’s admin password being saved in plain text on GitHub. When it comes to Internet-Connected devices, here is an article where an IP door lock was able to be reprogrammed because the developer imported the API for all home automation and did not shut off the parts not associated with a door lock. Hackers were able to use their app to take control of other devices and even give themselves an unlock code to the front door if anyone who had that app installed on their phone.
What Healthcare Devices are Connected?
“The Internet of Things (IoT) has opened up a world of possibilities in medicine: when connected to the internet, ordinary medical devices can collect invaluable additional data, give extra insight into symptoms and trends, enable remote care, and generally give patients more control over their lives and treatment.” Econsultancy Article
We are utilizing “Wearables” every day. FitBit and Apple Watch add on every new version the amount of health data they collect. But, what about insulin pumps? OpenAPS or Artificial Pancreas System offers type 1 diabetics the ability to create their own basic closed loop APS technology for anyone with compatible medical devices and is willing to build their own system. How about ensuring people take their medication? Proteus has the first FDA approved swallowable sensor that checks your stomach when you take your medication and sends a notification to a smart phone app that confirms that you are taking your medication as prescribed. And the list goes on. Imagine some bad actor gaining access to any of these devices. And IV pumps, hospital beds, cardiac monitors etc. are all being developed.
Aren’t Healthcare Providers Safe?
Besides the two incidents linked above, healthcare providers still seem to be a popular target for hackers. Third party vendors and phishing campaigns seem to be the way in the front door, but once they are in the world is their oyster. According to Forescout, 39% of healthcare IoT systems and 53% of common medical devices are still using legacy systems like Windows 7.
“In fact, by 2020, 70 percent of all healthcare devices will be operating on Windows systems, which will no longer be supported by Microsoft beginning January 14.”Forescout
Clearly the healthcare IT departments have their hands full. In many hospitals, management of these devices doesn’t fall under IT. Luckily this is changing and changing quickly. But as CSO and CISOs start dealing with the devices, what should they do?
What Can Be Done to Ensure They Are Safe?
Segmentation: As mentioned previously, these devices should be treated as untrusted and segmented into their own network. Rules should then be applied permitting only the IP addresses that need to communicate to do so and only on the ports they need to communicate on. Diligence is required to ensure that your insulin pump isn’t trying to download your user accounts from active directory.
Infrastructure Analytics: Programs that watch behavior of devices should be deployed. They can see when the IoT devices are performing functions or trying to connect to places they shouldn’t be.
Patching, Patching, and more Patching: It’s been said many times, but it cannot be said enough. Ensuring your systems are patched to the latest firmware or security patch is crucial. When a patch is released, make sure you understand what is needed to correct the issue. It may require other actions besides applying the patch.
Training: Just like patching, it can’t be said enough that user error is the biggest cause of breaches. Make sure your staff is trained on how to operate the devices safely and securely. Win them over to your security team and they can be your best ally.
There are significant challenges currently to internet connected healthcare devices. Recognizing the challenges and having a plan to overcome them is the most important part. Now is the time to start working on that plan. More devices are connected every day. Actions must be swift and secure with the sensitive nature of the information that can be compromised. When the medical device itself can be compromised, that has further reaching implications. Conversant Group, or any cybersecurity provider, can help you make your security planning as painless as possible.