A Wall Street Journal article this past summer entitled “Code Dark: Children’s Hospital Strives to Minimize Impact of Hacks,” describes a new trend in healthcare: in the event of a cyberattack, hospital staff are trained to shut down computers and medical devices to prevent attackers from moving laterally within a network. They also do this to contain the spread of ransomware and other forms of malware.
Code Dark initiatives are necessary, which illustrates the magnitude and nature of the challenge healthcare services organizations face in protecting IT infrastructure – and patients.
Medical device insecurity
Hospitals are a frequent target of hackers, and the Association of American Medical Colleges (AAMC) reports that attacks have risen 45% since 2020, as cybercriminals and cybercrime syndicates increased activity to take advantage of chaos after the start of the pandemic. Such attacks are disruptive and costly. IBM and Ponemon Institute’s 2022 Cost of a Data Breach Report found that successful cyberattacks cost U.S. hospitals $10.1M per incident.
In its Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care study for security company Proofpoint, the Ponemon Institute found that most hospitals suffered 40 or more attacks in the last year, almost one attack per week. More concerning, many of the organizations suffering the four most common types of attacks—cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing phishing—experienced increased patient mortality rates.
For healthcare delivery organizations (HDOs), insecure internet of medical things (IoMT) devices are a top concern. HDOs average more than 26,000 network-connected devices, including 10-15 connected medical devices per bed. Healthcare facilities also rely heavily on operational technology (OT) and industrial control systems for running the physical plant and systems for managing electricity, water, and air quality. These organizations may also have tens of thousands of Internet of things (IoT) devices, such as smart TVs, security cameras, parking systems, badge readers, communications, and other components connected to traditional IT infrastructure.
Reports such as those out of Springhill Medical Center in Alabama, where an undisclosed ransomware attack was blamed as contributing to the death of an infant, illustrate the potential for cyberattacks to have tragic outcomes. As the number of connected, unmanaged devices explodes, threat actors targeting IoT, IoMT, and OT devices have the potential to undermine patient trust in the ability of healthcare organizations–and the entire industry–to provide a high quality of care and to protect their safety.
Countering the threat and maintaining patient safety requires continuous monitoring and securing the plethora of connected devices in use in hospitals today. It’s a huge job to avoid Code Dark events that press doctors, nurses, and frontline hospital staff into service following attacks. Cyberattacks move too fast, and even the best-prepared people are prone to make mistakes in high-stress situations like a Code Dark event. Every connected device increases the attack surface and there’s no way to monitor all these devices manually. Pulling the plug after an attack presents a high-risk prospect. Cybersecurity in healthcare environments begs for automation.
The role of medical device manufacturers
Why not simply insist that medical device manufacturers solve the problem they have helped create? Medical device makers are well-known for innovative and life-saving technologies that are indispensable for providing a high quality of patient care, but like many IoT manufacturers, these companies don’t place security as a primary consideration of the design. That has left the responsibility for securing IoMT devices up to HDOs. But as their inventories–and attack surfaces–expand, HDOs can’t keep pace with the ever-widening risk gap.
Medical devices and systems designed and deployed today often remain in service for well over a decade. During their extended lifecycle, operating systems and other software components may become obsolete; in fact, as many as 20% of devices operating in a hospital’s network are likely to be running on out of date and unsupported software such as Windows 7/8/10. Even with devices running more modern operating systems, safety and manufacturer regulations may dictate that the equipment cannot be taken offline or patched the same way traditional IT systems are. As a result, hospitals and HDOs may have hundreds–or even thousands–of devices that are both vulnerable and in service, connected to their network, making the organization an easy target for a cybercriminal.
Legislators and regulators who recognize this threat to public safety have attempted to address the situation with bills, such as the Protecting and Transforming Cyber Health Care (PATCH) Act, mandating that medical device manufacturers follow security by design practices to harden their products against attack. However, the political process and results can take years to play out, and hospitals simply cannot wait that long.
Actions for healthcare organizations
While device manufacturers need to design robust security into all IoMT devices, healthcare providers must also take responsibility for device security. Healthcare and public health organizations must act now to proactively protect their systems and their patients; they cannot afford to only do the minimum to secure their networks - especially when patient safety is at stake. When hospitals do not know exactly what's connected to their networks, it’s impossible to understand what's truly at risk. This makes them especially vulnerable to events such as North Korea's ‘Maui ransomware’ attack targeting the U.S. healthcare industry.
Fortunately, hospitals can take immediate steps, using new technologies to improve connected healthcare device security by using automation to maintain an up-to-date device inventory, identify risk, and monitor device communications:
- Automate the discovery and classification of devices to enable real-time and accurate device data and inventory.
- Identify devices with outdated operating systems or other risks such as misconfiguration and software that is unauthorized or vulnerable.
- Track communication to countries like Russia and North Korea, and monitor the web reputation of the sites to which these devices connect.
- Identify and monitor devices with high risk, privileged protocols (for example, SMBv1 and RDP), to confirm these protocols are truly required and, if so, to ensure that they are being used for legitimate needs.
- Segment devices running outdated operating systems that the team can’t patch. Enable only sanctioned communications required for device operations to limit exposure.
- Baseline all connected device communications to ensure they do not deviate from their purpose. Whenever ransomware takes over a device, there’s communication with an internet-based command-and-control site and potential for lateral movement across the organization. Any detected deviation from baseline communications is an indicator of compromise.
Healthcare delivery organizations need complete IoT, IoMT, and OT visibility to identify and manage cybersecurity risks throughout the lifecycle of those devices. They also need a commitment from medical device manufacturers to think of the future, and work hand-in-hand with them when designing connected medical devices.
Greg Murphy, Advisor, Ordr