Risk Assessments/Management, Asset Management

Exposed: In wake of COVID-19 tech buying surge, medical device security in need of overhaul

The COVID-19 response further burdened health care resources, as many swiftly onboarded new technologies. Providers must now reassess those connections. (“Georgia National Guard” by The National Guard is licensed under CC BY 2.0)

In the rush to respond to COVID-19, many health care providers swiftly onboarded technologies to support the nation’s response and enable the rapid adoption of remote digital health platforms, such as connected medical devices and telemedicine tools.

And now, as the pandemic response begins to slow, hospitals and medical facilities are left to close the significant security gaps that emerged with the tech buying surge.

Health care was already a prime target for cyberattacks and other disruptions prior to the pandemic. And these new implementations may have inadvertently increased the number of unsecured endpoints and network weaknesses. In a time where threat actors use data exfiltration and extortion in the majority of ransomware attacks, the concern is that some providers may be leaving out the proverbial welcome mat for attackers.

“Due to the urgency for care and real-time needs of health care which is unique from some other sectors, these solutions and services were sometimes implemented with a focus on speed rather than security,” said Troy Ament, Fortinet's field chief information security officer for health care. The biggest risk providers are facing right now is ransomware, he added, due to the impact it can have to care operations and the risk to patient safety, and the fact that the sector is just not prepared to respond.

Indeed, the rapid adoption of new technologies occurred across most sectors during the pandemic, but in health care, some of these implementations support patient care via virtual care options. And if these endpoints and access mechanisms aren’t secured, it could further exacerbate health care’s security issues.

For one, many delivery organizations expedited the adoption of connected medical devices to enable care mobility: an effort that began prior to the pandemic. Although many CISOs were aware of the need to secure the IoMT environment before the national emergency, Ament explained the response forced many entities to push security initiatives into the backseat.

But as the U.S. health care system returns to more normal operations, Ament says both providers and medical device manufacturers are coming back to the table to either reinitiate those security projects or take on security reviews and improvements to bolster the medical device environment within the enterprise network.

Health care will remain key target, as attack sophistication grows

The health care sector is, and has always been, a key target for malicious actors, given its need for continual access to technology to support patient care, whether it’s accessing patient records through the electronic health record (EHR), or taking care of the patient at the bedside.

Previous FortGuard Labs research shows that the pandemic only further emboldened attackers to target vulnerable sectors, taking advantage of human fears and providers fully focused on battling the virus.

But even before the pandemic, the health care and life sciences industries were moving through a rapid digital transformation to support modern care needs. The pandemic enabled providers to prioritize those efforts, with the rapid adoption of telehealth services and remote COVID-19 testing and vaccination centers.

Meanwhile, pharmaceutical and life science sectors engaged new technology methods to quickly develop and manufacture vaccines.

“This all means a vastly expanding digital attack surface in the context of a non-stop threat landscape and a continued cyber skills gap,” said Ament. “The attacks we’ve seen are both becoming more complex or sophisticated and they are growing in numbers – mainly because bad actors have realized that many healthcare systems have had to make tough choices when managing the risks they face.” 

“Most healthcare organizations were overburdened before the pandemic, but the pandemic made it worse,” he added.

Understanding the risks posed by an unsecured, connected medical device infrastructure will be crucial for health care providers moving forward, explained Ament. With the rise in virtual visit platforms and telehealth technologies implemented during the pandemic, providers must now evaluate and lock down any cloud technology or other efforts that support remote work.

Needed technology and policy reviews

Shadow IT is a massive vulnerability for all entities right now, but particularly for the health care sector, said Bert Kashyap, co-founder and CEO of SecureW2. Organizations brought on a lot of new applications and technologies, but many did not first clear the onboarding with the IT or security teams.

While understandable for providers who were in “emergency mode” and needed tech to support patients, all of these new apps and technologies will need to be properly vetted now that care teams are less burdened.

Fortunately, many of these IT teams already have the tools needed to bring a lot of these apps and services under control, including mitigation strategies. Kashyap explained that there are solutions that will sandbox questionable apps and technologies to provide, at the very least, a basic level of security.

“All entities that have gone through the firefighting process to get apps out there for business needs will now need to revert back to IT to find solutions that will harden the shells around these apps and devices to create a protection layer for these services,” said Kashyap.

The way Kashyap describes it, health care providers must focus on three key areas to ensure the infrastructure is secured: device ecosystems, device trust, and user access. Entities need some level of control and an understanding of the device ecosystem and how technology speaks to each other on the network.

IT teams or system administrators also need to ensure each device or app has a digital certificate and that the device is sanctioned to access the enterprise network or services across the board, he explained. Whether the environment is fully managed, bring-your-own-device, or a hybrid, there are tools and processes able to ensure device trust on the network.

As for user controls, entities must ensure they’re using the right mechanism for access. But most importantly, Kashyap stressed that organizations can’t rely on one tool or process to ensure the network is secured. All three functions must work in harmony through a sophisticated, multilayer approach.

Kashyap described one entity's proactive measures for securing and preparing its workforce: preemptively surveying employees to determine how they would react to particular situations. In doing so, the IT team was able to evaluate weaknesses and communication or reporting gaps that could hinder real-world incidents.

The process is done in lieu of more punitive, highly stressful phishing scenarios. The preemptive surveys help to develop tailored training and policies for the workforce that can harden those weaknesses, he added.

For Ament, zero trust implementation for the health care sector is the ideal model, as health care continues to move the care model outside of the traditional care setting and nurses, doctors, clinicians and caregivers increasingly require seamless, secure access to patient data – regardless of location or leveraged device.

“At its core, it’s all about identity and access management,” said Ament. “While the pandemic is very much still in effect, as caseloads have gone down, there’s a real opportunity for healthcare organizations to evaluate and take stock of their cybersecurity strategies.” 

“A big part of this is going to be taking a more consolidated approach as opposed to a number of disparate point solutions,” he continued. “Multifactor authentication and zero trust are going to be key to all of these, especially as systems continue to be more distributed. IT governance will also be very important and ensuring that any project that’s undertaken has cybersecurity built into the entire lifecycle. As always, broad cybersecurity awareness is important too.”

For now, health care entities should review existing policies during the slowdown, especially as the threat landscape is increasingly becoming more disruptive. As seen with the Kaseya incident, the supply chain, open source software, and a number of needed elements are under attack. Kashyap explained that there are a lot of issues in play, much more than in years past, and the IT team must prioritize guidance and supportive policies for the workforce.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.