IoT medical devices are producing an unprecedented volume of data about all of us at an alarming rate, and most people don’t even have a way to track what or where those devices are.
These devices are easy target for attackers. There are lots of them, no one is watching and security is nonexistent. Recent attacks like authenticating through default admin passwords and using IoT for botnets have evolved into outright destruction of IoT devices by wiping their drives. Granted, wiped devices can be restored, but the impact is far greater if those devices deliver critical care.
Attend the Medical Device Cybersecurity: Legacy Device Remediation, Compensating Controls, & End-of-Life Conference | September 26–27, 2019 | in Cambridge, MA or virtually The most common problems with medical devices are simple. They are built to provide optimal patient care, but ensuring secure access to the device not a requirement for healthcare providers.
Four Vulnerabilities in IoT Medical Devices
Hardcoded administrative passwords used to permit privileged access to devices that are the same across multiple devices. These passwords cannot be changed by users or even the facility’s system administrator. Attackers can do research on a device manufacturer and easily learn the hardcoded password to gain administrator access to the device and its data.
Lack of authenticated access to a medical device. While administrative accounts are used by service technicians for device management, often no authentication is required for regular user access. This obviously means anyone from anywhere can log into a device. No hacking skills required.
Medical devices are wireless and transmit unencrypted data across connections. Compromising the wireless network inside a hospital is not difficult. And gaining access to these wireless networks means an attacker is able to capture any and all unencrypted traffic from a device, exposing sensitive patient information.
Devices built with open source software vulnerabilities. All code contains vulnerabilities. By leveraging open source software, many developers can quickly solve problems using pre-existing code. This is a common practice across the entire software industry, as it saves time in developing a product.
Unfortunately, with the inherent benefits of leveraging existing codes comes greater risk of adopting existing and known vulnerabilities. Attackers scan networks looking for these vulnerabilities that allow exploitation of devices.
The Perils of Transformative Technology
Emerging medical technologies will continue to become essential to the quality and speed of healthcare delivery, attracting patients and providing the best patient outcomes.
As this transformation moves forward, healthcare organizations must remain mindful about what technologies are in place, how they are utilized, and when unauthorized actions occur.
Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what’s happening. The biggest threat is inside the network, where perimeter security is blind.
In the Dark and Behind the Curve?
IT security teams in healthcare are often kept in the dark and behind the curve when it comes to changes in infrastructure. For example, new IoT medical devices are often connected to the network without informing IT security teams.
For the healthcare provider, greater visibility into traffic and behaviors inside the network can help healthcare security teams remain vigilant and more confident as cutting-edge medical technologies are adopted and deployed.
Manually tracking devices to increase visibility is indeed difficult, especially with a small security team. When you factor in the time it takes a lean security team to discover a data breach, it is apparent that IT security teams need to stay ahead of the curve.
Many healthcare providers are augmenting their security teams with artificial intelligence to automate the detection and triage of cyberattacks in the network while speeding-up incident response.
For IoT device manufacturers, implementing basic security hygiene would go a long way to reduce the susceptibility of attacks. At a minimum, unique default passwords and a security-patch update mechanism would greatly reduce the ability of an attacker to compromise a device.
Ultimately, securing medical devices requires collaboration between the manufacturer and the healthcare provider. For example, manufacturers should provide healthcare organizations with a software bill of materials.
Manufacturers should inform the healthcare provider what software is in the product, enabling IT teams to better-implement and manage security as part of their asset management programs.
Engaging with longer-term industry efforts to improve security while taking immediate steps to close gaps in the medical device ecosystem will ensure that healthcare organizations stay well ahead of attackers.
While collaboration between vendor and user is always a good idea, I would argue that the responsibility is fundamentally that of the device manufacturer. Necessary guidance to users is appropriate but not where it puts the onus on the user to compensate for bad design. The best approach is to risk is always to eliminate it at the source rather than deal with it further down the line.