Ventilators and respirators, on the front line against the respiratory symptoms often deadly for coronavirus patients, may seem like natural points of vulnerability for medical organizations, but the real threats come from the flood of high-tech IoT medical equipment that must be integrated into a network and properly secured from attack.
Under normal circumstances hospitals struggle to bring that equipment online, but with the added pressure of dealing with a pandemic medical IT staffs are being pushed to the brink, creating plenty of opportunities for mistakes as they support the efforts to save lives while risking being exposed to the virus themselves.
“A premium is now on speed,” said Greg Murphy, CEO of Ordr, a company that focuses on protecting connected medical devices. “New devices are coming in with technicians possibly not familiar with the make or the device’s security history so to have them just come in and get connected creates a great deal of risk.”
Murphy called the hospital IT teams heroic noting they too are on the front line working amid patients as they attempt to get equipment in place.
While Ordr has seen a spike of activity on the dark web, centered around respirators, fortunately the majority of the devices that are either in use or being shipped from national stockpiles are older models and by themselves not capable of being connected to a network and are designed to operate as stand-alone devices.
“For this reason, we have not seen instances of cybercriminals hacking these critical devices. However, each is connected to a monitor of some type that is online in some fashion so nurses and staff can remotely keep an eye on each patient,” said Terry Dunlap, chief strategy officer and co-founder of ReFirm Labs.
Murphy does not believe the large number of potentially unsecured ventilators coming online is a facility’s weak spot. For myriad reasons hospitals have historically had a tough time staying secure, so Murphy believes the quickest way to gain entry and do damage is through the thousands of other IoT devices found in a typical hospital that for one reason or another have been overlooked.
“If I were a bad guy I would go through the video surveillance cameras. There are many more of them representing a wider attack surface,” he said, adding even devices like connected vending machines would make an excellent entry point.
Jeff Horne, Ordr’s CSO, said his nightmare scenario is a ransomware attack as it potentially provides a massively disruptive force that a hospital cannot ignore. Many European hospitals are being hit with phishing attacks, essentially threat actors throwing out phishing emails in an attempt to gain access. Horne believes these are intended to target hospital admin staffs that are under work from home orders, may not be using a properly protected network and are out from under the watchful eyes of their company’s cybersecurity staff.
“It’s easy to make a mistake and now it’s even worse,” Murphy added.
Check Point backed up this line a thought adding it is very concerned over the latest trend that sees cyber gangs like Maze using the double-extortion tactic of not only encrypting data, but stealing it as well and then threatening to make it public if the ransom is not paid.
“We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult,” said Check Point Manager of Threat Intelligence Lotem Finkelsteen.
As if established hospitals do not offer enough to be concerned about, there are now temporary hospitals and non-traditional spaces, such as tents, hotels and nursing homes, being used to house and treat COVID-19 patients. While the military hospitals being set up are likely secure, IT staffs are being run ragged helping set up these new facilities and make them as inefficient and safe as possible.
“There is a growing demand for a capability that allows hospital workers to remotely change ventilator settings that would allow health care workers to monitor these devices while also limiting physical contact with harmful pathogens,” Dunlap said.
One way hospitals are working to stay secure from cyberattack is to reach out to third-party firms who can remotely monitor the medical equipment. These off-sight personnel are not only able to ensure proper cybersecurity precautions are in place, but they can tell hospital administrators the location and status of their devices. In the daily chaos now taking place on hospital ERs and ICUs it’s easy to lose track of a desperately needed piece of equipment. These outside helpers can let a doctor know if there is a spare ventilator in the building and where it was last located.
Murphy hopes that once COVID-19 becomes just a horrible memory that the lessons being learned now on the fly are incorporated into standard operating procedure. He believes a top take away is the importance of automation. Properly automated devices can tell a network when its connected and whether or not its ready to operate.
This disaster has shown that once lifesaving measures take priority over cybersecurity normal procedures are thrown out the window, but equipment that is properly automated can fill the role now handled by humans, he said.