Despite some sensationalized headlines, a new Armis survey reveals the biggest concern of healthcare IT leaders is much simpler. The riskiest devices in healthcare are building systems, such as HVAC or electrical systems, imaging machines, medication dispensing equipment, check-in kiosks, and monitoring equipment for vital signs due to ongoing vulnerabilities.
Armis surveyed 400 health IT leaders and another 2,000 individuals from other sectors to gauge understanding on the cybersecurity and threat landscape from a healthcare perspective.
Many of the data points align with recent reports, such as the overwhelming majority (82%) of respondents saw an increase in cyber risk in the last year, and 58% fell victim to a ransomware incident in the last 12 months.
The most pressing concerns for health IT leaders, in terms of threats, were found to be data breaches for half of the respondents, followed by attacks impacting hospital operations (for 23%) and ransomware attacks (for 13%).
Armis Chief Technology Officer Oscar Miranda and CISO Curtis Simpson spoke with the media on the survey results and what stood out about the ongoing threats and vulnerabilities. Both were stunned to see that HVAC systems were named as one of the most pressing concerns.
Stacking up vulnerabilities
The first time an HVAC system was used as a point of entry was the 2014 Target breach, explained Miranda. Seven years later, IT professionals are still concerned about and uncomfortable with these oft-vulnerable systems, as well as their troves of medical devices.
For example, a previous Armis report revealed nine vulnerabilities in critical infrastructure tech used by the majority of hospitals: pneumatic tubes. The flaws are susceptible to attack. About 3,000 healthcare systems are vulnerable from just pneumatic tube flaws alone, but that’s just one vulnerable area within the healthcare environment.
To Simpson, the survey results and the previous pneumatics report demonstrate continued challenges facing healthcare systems. Healthcare networks are very flat, leveraging devices that range from traditional network devices and cameras, to imaging devices and IoT devices all operating on the same network.
“We're seeing these stacks of vulnerabilities that allow for widespread exploitation in these types of environments,” said Simpson. Most attacks in every industry and sector fundamentally begin the same way: social engineering attacks that attempt to trick employees into doing something to give the attacker a foothold onto the environment.”
In healthcare, once the attacker breaks into the environment, they can laterally move to a multitude of IoT devices and “can hang out there, potentially invisibly, and start figuring out where they can do the most damage,” he added.
The most damage can occur within the “vulnerabilities that exist at scale across all sorts of different devices in this space,” which would allow them to compromise an asset or a set of assets and do the most damage and thus, result in the highest ransom demands.
For Miranda, many of these challenges exist due to the foundational flaws, which are then exacerbated as healthcare providers continue to bring in new technologies, stacking them on top, and tinkering with software.
“The reality is [they] just keep stacking [devices] with multiple functionalities, but there are foundational flaws with some of the pieces of software,” said Miranda. These include using openly accessible endpoints or open source software. And then providers keep bringing in new risks, vulnerabilities and are just “pancake-stacking on top of it.”
“Imagine a vulnerability that started four or five versions earlier in a piece of code,” he continued. “Now I have to retroactively go back to address that vulnerability and hope that I don’t compromise current interoperability. Let’s face it, when you fix one thing, especially with old code, chances are I’m going to break something within the new code.”
A renewed call for cyber resilience
The untenable situation is the reality of healthcare, further burdened by tight software release schedules that mean healthcare security teams don’t have the opportunity to remediate these issues, explained Miranda.
As a result, there’s an intersection between threats like ransomware and ongoing challenges with vulnerability remediation, which means “healthcare is having a harder time than ever managing their overall workload,” Simpson warned.
“Bad actors were given wide visibility into where their attacks could do the most damage and where they could subsequently earn the largest payout,” said Simpson. “Healthcare has always been known to be a widely vulnerable environment — that’s not news. … What we’ve seen on the bad actor side of the house is just a doubling down on ransomware.”
“It’s been the most lucrative endeavor in the bad actor community,” he continued. “You've got this widely vulnerable community that has a growing bad actor community alongside it. ... And we've seen the tooling around ransomware grow. But we’ve seen the defenses grow far less."
The bad actor community knows the healthcare sector’s flaws, including the litany of devices and how to disable communications. By failing to mature its security, the door has been left open to attackers.
The survey spotlights those trends with half of respondents saying the ongoing attacks on critical infrastructure are seen as the biggest threat to hospitals. Other risks included inputting data into online portals (31%) and staying in a hospital room with connected devices (17%).
The one positive is that the ongoing threats and cyberattacks receiving media attention are strongly influencing decision-making at some healthcare organizations, with 75% of respondents agreeing the ongoing threats are influencing decisions at their organization.
The findings and continued dialogue on healthcare vulnerabilities stress the need for cyber resiliency in healthcare, building security into business continuity plans, practicing tabletop cybersecurity exercises, and training the workforce on just what will happen when the entity is hit by an inevitable cyberattack, explained Miranda.
“The fundamental question is: how important is it to the organization to protect themselves and build plans around these types of attacks? This is a common disruption. It's not as simple as just always paying the ransom and moving on,” said Miranda.
“Because what we're seeing with some of these individuals is, even though you've paid the ransom, they're still releasing the information. So they basically just took your money and left you still holding the bank. So what did you accomplish?” he added.