Nearly every industry, including healthcare, faces a growing attack surface to secure with the expansion of internet-connected devices. Pictured: A biomedical engineering technician tests power on a portable X-ray unit at Brooke Army Medical Center at Fort Sam Houston, Texas. (Army)

The challenges of securing the medical device ecosystem in healthcare are well-known.

As healthcare continues its digitization expansion and interoperability efforts expand endpoint connections, gaining visibility into device inventories and connections and the risks posed to patient safety is “paramount to protecting healthcare,” Elisa Costante, vice president of research for Forescout, told SC Media.

“By knowing exactly which devices are on their networks, healthcare security leaders can create a strategy that is tailored to their environment and take actions to reduce their risk.”

A new report from Forescout’s Vedere Labs examines the increasing expansion of devices across all sectors, including an examination of the state of medical device security in healthcare. Namely, these devices pose obvious risks if exploited due to the potential impact on healthcare delivery and patient safety.

And while the ranking of riskiest devices didn’t considerably change within the industry, it did confirm nearly every industry is facing a growing attack surface with the rapid expansion of information technology (IT), internet of things (IoT) and operational technology (OT). Healthcare also has the unique addition of internet of medical things (IoMT) devices.

To compile the report, Vedere Labs researchers analyzed millions of devices from Forescout’s Device Cloud between Jan. 1 and April 30, which contained data from almost 19 million devices.

The data revealed that healthcare and retail have the lowest risk overall, with just 20% of devices having medium or high risk. Meanwhile, the government has 43% and financial 37%. In light of the research demonstrating the complex device challenges, the statistic stands out.

But as Cosante points out, the stat doesn’t necessarily reflect that healthcare devices aren’t as risky, rather “the availability of this information and the visibility into which devices are vulnerable and what risk they bring is still scarce.”

It’s a notable statement given researchers are increasingly looking at medical device vulnerabilities, as evidenced by multiple reports in the last few years and congressional testimonies.

For the healthcare sector, the report examines the ease in which medical devices can be exploited as they’re often used with a default configuration and many have default open ports or credentials when they are configured by a manufacturer, which are sometimes left unchanged even when deployed within the healthcare environment, explained Costante.

In addition to the well-known security challenges, like the long lifespan, operating on decades-old code, and unpatched devices, “medical devices require special upgrading procedures that delay patching,” she added. “Due to specialized software and firmware running on many medical devices, the patching procedure is not as easy as in a traditional computer. Not only is applying patches more difficult, but even the existence of patches is not guaranteed for vulnerabilities affecting third-party components.”

Unlike in other industries where the risk of device vulnerabilities can only lead to business disruptions and data or privacy exposure, medical device exploits can lead to patient impacts.

WannaCry was a prime example of a ransomware attack with rippling effects where the initial impact was seen in the health system’s corporate IT networks and “spilled over to medical devices, rendering them unusable.” A 2019 attack on an Alabama hospital disrupted fetal monitors, while a cyberattack on Elekta left cancer patients without treatment for several weeks due to device impacts.

However, the researchers note that in healthcare, the ranking of the riskiest medical devices is not nearly as “important than the fact they reflect the ongoing trend toward digitalization in healthcare, where medical devices are connected to the IT network and can generate and exchange patient data with other systems.”

Medical imaging devices remain problematic

One of healthcare’s most problematic challenges is its use on vulnerable devices, particularly those tied to medical imaging. A previous SC Media exclusive examined the U.S. health sector’s lack of action after a 2019 ProPublica report showing millions of medical images were actively being exposed online through unsecured Picture Archiving and Communication Systems (PACS).

As reported, the U.S. continues to utilize PACS without first closing major security gaps, and the same health systems employing unsecured PACS have also failed to close other critical vulnerabilities/

PACS are used by most healthcare delivery organizations for archiving medical images and for quickly sharing patient records and images between connected providers. But the tool, which relies on the highly vulnerable Digital Imaging and Communications in Medicine (DICOM) protocol, is ranked as one of the riskiest devices employed in the sector.

The latest Vedere report reaffirms the criticality of these medical imaging devices, tied to the frequent reliance on legacy IT operating systems, extensive network connectivity, and as noted, the “use the DICOM standard for sharing these files.”

“DICOM defines both the format for storing medical images and the communication protocol used to exchange them. The protocol supports message encryption, but its usage is configured by individual healthcare organizations,” the report authors wrote. “We observe unencrypted communications in many organizations, which could allow attackers to obtain or tamper with medical images.”

Patient monitors are also among the most vulnerable devices as “they often communicate with unencrypted protocols.”

However, the report authors note that focusing defenses on only whether a device is risky won’t solve these challenges as actors can exploit any exposed vulnerability to gain access to the network and pivot to other connections. What’s truly needed is a proper risk assessment to understand the attack surface and its growth, including granular classification into device types, vendors, models and firmware versions.