Medical-device security has long been a challenge, having the same management issues that all IoT gadgets has faced.
A hacked insulin pump is the last thing a diabetic wants to be concerned about when undergoing treatment. Unfortunately, concerns about medical device IT security are a healthcare reality.
During 2020, the US Cyber-Security & Infrastructure Security Agency (CISA) issued more than a half-dozen warnings tied to connected drug pumps alone.
Vulnerabilities found in pumps made by Baxter International & Becton Dickinson Alaris System, for example, could be exploited to launch a DDoS attack, alter system configurations, or siphon off patient data.
A Diagnosis
Cyber-security has also become a major theme for the Federal Drug Administration, which oversees medical-device safety. In 2020, the FDA issued a flurry of warnings urging medical device-makers & hospitals to patch their hardware against a slew of vulnerabilities, ranging from Sweyn Tooth and URGENT/11 to Ripple20 & SigRed.
Ripple20 for example is a group of bugs found in June 2020, plaguing 53,000 medical device models. The flaws give remote attackers the ability to execute remote code, according to Forescout research.
A year-long analysis of 5m internet-of-medical-things (IoMT) devices found that 86% of healthcare users had more than 10 FDA recalls running inside their network, observes Ordr. Recalled IoMT devices can be considered either defective, posing a health risk or indeed both.
Symptoms
Experts warn medical-device security is a severe problem, now worsened by COVID healthcare issues.
Hospitals have been forced to prioritise budgets & staffing to focus on lifesaving care – meaning that IT security often takes a ‘back seat.’ Hackers are aware of this & are also now capitalising on these healthcare strains with a tsunami of ransomware & phishing attacks etc..
US Hospital Networks
Universal Health Services was one of several US hospital networks hit in 2020 with ransomware attacks, causing significant day-to-day disruptions to over 400 facilities across the US, Puerto Rico & the UK. Explains Tom August, a CISO in the healthcare field, the medical-device aspect of such disruptions is important.
“The likelihood is low, but there is a really high potential impact if one of these devices is attacked,” August commented.
“Maybe you put ransomware on my computer. That is bad. But if you have malware on a medical device that a patient hooked up to, there is tremendous, wide-open risk to human life.”
Medical History
It should be recognised that medical-device security has long been a challenge, having the same uphill management battle that the entire range of IoT gadgets has had. E.g. – a lack of security-by design, unclear mechanisms for patching & updates, & the potential for configuration mistakes (e.g., forgetting to change default passwords).
“The coronavirus isn’t creating more vulnerabilities in medical devices, it’s laid bare the problems that already exist,” observed Tim Erlin, VP of Product Management & Strategy at Tripwire.
Unique Challenges
The segment also faces some unique challenges. E.g., because of strict FDA guidelines over device configuration and legally-binding vendor support contracts, patient-care facilities often must rely on slow-to-move vendors for patching, upgrades & replacements – a rare & expensive process.
“Medical devices are a blind spot for hospitals,” August said. “In many cases, hospitals can’t manage the devices – vendors do. We cannot patch them because vendors will not allow it. We can’t install anti-malware protection because vendors say it breaks the warranty.”
The Cure?
Reducing medical-device cyber-security risks may be really challenging, but there are some best practices that can help.
Taking a medical-device inventory is a first step at identifying the scope of the cyber-security challenge. The Ordr study found that 51% of IT teams are not aware of which types of devices are impacting their network.
Ordr also found Facebook & YouTube applications running on MRI & systems like Windows XP.
Ransomware
“Using medical devices to surf the web puts the organisation at a higher risk of falling victim to a used ransomware & other malware attacks,” comments the report.
Also, suggestions for locking down IoMT devices include assessing a device’s exposure to the internet, disabling unnecessary or unused services on devices & segmenting critical networks by IoT-device needs.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/