Healthcare IT has an internet of things (IoT) problem. This isn't exactly a secret, but recent developments have transformed a nagging fear into a palpable panic across the sector. Recently, I've reviewed the Infragard Private Industry Notification (PIN), Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, and it's becoming clear that this issue is indicative of a broader realization that the state of healthcare cybersecurity is in trouble.
Pervasive Healthcare Cybersecurity Weaknesses
Let's start with a bit of history. Suffice it to say, hospitals, clinicians' offices, and associated parts of the healthcare industry have not exactly been on the leading edge of cybersecurity. Some attribute it to razor-thin margins in the sector. Others lament the challenges of managing a burgeoning patchwork of life-critical technologies—a challenge many argue is exacerbated by trying to update and patch these systems. Still, others talk about the difficulty in working with systems that were never really designed to be connected to a network in the first place.
The numbers bear this out. According to research cited by the FBI in their PIN, more than 50% of connected medical devices and other IoT devices in hospitals had known critical vulnerabilities. Another piece of cited research notes "an average of 6.2 vulnerabilities per medical device," including critical devices such as pacemakers and insulin pumps. That same research found that "more than 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades."
And it's not just IoT security itself that is a problem. According to the ExtraHop report, Benchmarking Cyber Risk and Readiness, healthcare organizations had the highest prevalence of insecure protocol usage across seven of the 12 protocols studied, including SMBv1 and TelNet.
The table below shows a breakdown of internet exposed protocols by industry: The percentage of organizations with internet exposed protocols, and the average number of public internet-exposed devices per 10,000.
IoT Visibility Gaps
Perhaps the biggest challenge of all is visibility. Even for organizations that have already, as recommended in the FBI PIN, deployed antivirus and endpoint detection and response tools, there are still significant gaps. As on your network at home, in a clinical or other healthcare setting, there are devices that can't be 'managed' in the traditional sense. No asset management agent, endpoint protection agent, or even antivirus can be installed on these devices for a variety of (valid) reasons.
Think for a second about a fetal heart monitor you might see in a maternity ward. That monitor has an operating system and is very likely connected on the WiFi network (for easier monitoring by doctors and nurses remotely), but there's no real way to 'see inside' the thing without the possibility of breaking it. I don't think it's a stretch to imagine the risks associated with that.
So if these devices exist, and we can't readily install anything on them to monitor their security and on-network worthiness, what are the options? I dare say this is one of those places where the SOC triad shines in a way that hasn't really been highlighted before.
How Network Visibility Closes the Healthcare Security Gap
Perhaps one of the most interesting and obvious use cases for network detection and response (NDR) lives here. Endpoint tools are essential, but there are limitations to where you can add them. Medical IT devices are some of those limitations. A fetal heart monitor won't take an endpoint agent, but because it's connected and talking on a network, it's still subject to attack and compromise. In order to protect that asset, you need the ability to detect network-borne malicious activity in a way that the attacker cannot see and circumvent.
Attackers don't land on MRI machines because they 'shouldn't' be exposed to the internet or have a web browser the operator can use to peruse social media or email. However, attackers land on the machines in adjacent network spaces because they have Windows, Mac, or Linux operating systems—which get infected and become jump-off devices to attack the rest of the network. Having the insight into what's going on in the infrastructure, laterally and at the borders, is essential. It's also essential that your endpoint security works hand-in-hand with its blind spots (where agents cannot be installed).
There's a lot to be discussed here, and this only scratches the surface of that conversation. But it's interesting to me that the topic of medical and industrial IoT devices has started to make the rounds in circles of people who take this stuff seriously. I believe it's worth investigating how to improve security on these blind spots of IT instead of continuing to lament the inadequacies of these devices.