A the wall street journal article from last summer titled “Code Dark: Children’s Hospital strives to minimize the impact of hacks,” describes a new trend in healthcare: in the event of a cyberattack, hospital staff are trained to shut down computers and medical devices to prevent attackers from moving laterally within a network. They also do this to contain the spread of ransomware and other forms of malware.
Code Dark initiatives are needed, which illustrates the scale and nature of the challenge that healthcare service organizations face in protecting IT infrastructure – and patients.
Insecurity of medical devices
Hospitals are a frequent target of hackers, and the Association of American Medical Colleges (AAMC) Reports that attacks have increased by 45% since 2020, as cybercriminals and cybercrime syndicates have increased their activity to take advantage of the chaos after the start of the pandemic. Such attacks are disruptive and costly. The 2022 Cost of a Data Breach report from IBM and the Ponemon Institute found that successful cyberattacks cost US hospitals $10.1 million per incident.
In his Cyber-insecurity in healthcare: cost and impact on patient safety and care study for security company point of proof, the Ponemon Institute found that most hospitals had suffered 40 or more attacks in the past year, or nearly one attack per week. More worryingly, many organizations victimized by the four most common types of attacks – cloud compromise, ransomware, supply chain and business email compromise (BEC)/spoofing phishing – have experienced increased death rates patients.
For healthcare delivery organizations (HDOs), unsecured Internet of Medical Things (IoMT) devices are a major concern. HDOs have an average of more than 26,000 network-connected devices, including 10-15 connected medical devices per bed. Healthcare facilities also rely heavily on operational technology (OT) and industrial control systems to operate the physical plant and power, water and air quality management systems. These organizations may also have tens of thousands of Internet of Things (IoT) devices, such as smart TVs, security cameras, parking systems, badge readers, communications and other components connected to the Internet. traditional IT infrastructure.
Reports such as those of Springhill Medical Center in Alabama, where an undisclosed ransomware attack was blamed for contributing to the death of an infant, illustrate the potential for cyberattacks to have tragic consequences. As the number of connected and unmanaged devices explodes, threat actors targeting IoT, IoMT and OT devices have the potential to undermine patient confidence in the ability of healthcare organizations – and all of them. of the sector – to provide high quality care and to protect their safety.
To counter the threat and maintain patient safety, there is a need to continuously monitor and secure the plethora of connected devices used in hospitals today. It’s a huge job to avoid Code Dark events that cause doctors, nurses, and frontline hospital staff to go on duty after attacks. Cyberattacks move too quickly, and even the most prepared people are susceptible to mistakes in high-stress situations like a Code Dark event. Each connected device increases the attack surface and there is no way to monitor all these devices manually. Pulling the plug after an attack presents a high-risk prospect. Cybersecurity in healthcare environments requires automation.
The role of medical device manufacturers
Why not just insist that medical device manufacturers fix the problem they helped create? Medical device manufacturers are well known for their innovative and life-saving technologies that are essential to delivering high-quality patient care, but like many IoT manufacturers, these companies do not place security as a primary design consideration. . This left the responsibility of securing IoMT devices to the HDOs. But as their inventories and attack surfaces grow, HDOs cannot keep pace with the ever-growing risk gap.
Medical devices and systems designed and deployed today often remain in service for more than a decade. During their extended life cycle, operating systems and other software components may become obsolete; in fact, up to 20% of devices running on a hospital network are likely to be running outdated and unsupported software such as Windows 7/8/10. Even with devices running more modern operating systems, safety and manufacturer regulations may dictate that the equipment cannot be taken offline or patched in the same way as traditional computer systems. As a result, hospitals and HDOs may have hundreds or even thousands of devices both vulnerable and in service connected to their network, making the organization an easy target for a cybercriminal.
Lawmakers and regulators who recognize this threat to public safety have attempted to remedy the situation with bills, such as the Protecting and Transforming Cyber Health Care (PATCH) Act, requiring medical device manufacturers to follow security-by-design practices to harden their products against attacks. However, the political process and results can take years to materialize, and hospitals simply cannot wait that long.
Actions for healthcare establishments
While device manufacturers must design robust security into all IoMT devices, healthcare providers must also take responsibility for device security. Healthcare and public health organizations must act now to proactively protect their systems and their patients; they cannot afford to do the minimum to secure their networks – especially when patient safety is at stake. When hospitals do not know exactly what is connected to their networks, it is impossible to understand what is really at risk. This makes them particularly vulnerable to events such as North Korea’s “Maui ransomware” attack targeting the US healthcare industry.
Fortunately, hospitals can take immediate action, using new technologies to improve the security of connected health devices by using automation to maintain an up-to-date device inventory, identify risks, and monitor device communications:
- Automate device discovery and classification to enable accurate, real-time device data and inventory.
- Identify devices with outdated operating systems or other risks such as misconfiguration and unauthorized or vulnerable software.
- Track communications to countries like Russia and North Korea, and monitor the web reputation of sites these devices connect to.
- Identify and monitor devices with high-risk privileged protocols (e.g., SMBv1 and RDP), to confirm that these protocols are truly needed and, if so, to ensure they are being used for legitimate purposes .
- Segment devices running outdated operating systems that the team cannot fix. Enable only approved communications required for device operations to limit exposure.
- Base all communications from connected devices to ensure that they do not deviate from their purpose. Whenever ransomware takes control of a device, there is communication with an internet-based command and control site and the potential for lateral movement across the organization. Any detected deviation from baseline communications is an indicator of compromise.
Healthcare delivery organizations need complete visibility into IoT, IoMT, and OT to identify and manage cybersecurity risks throughout the lifecycle of these devices. They also need a commitment from medical device manufacturers to think ahead and work hand-in-hand with them when designing connected medical devices.
Greg Murphy, Advisor, Ordr