The healthcare sector was on a steady track towards digitization and with the massive blow from the COVID-19 crisis it is all but leading the charge. Remote monitoring and other connected medical devices have made it possible for healthcare providers to exceed capacity limits, as the rest of the world realizes the crucial role they play in aiding response staff in enabling “smart” monitoring, timely care, and saving lives. But what happens after the pandemic and what does this mean for security?
The many on-hold non-essential and routine patient care services, like surgeries, will be rescheduled with urgency. This will continue the surge in Healthcare Delivery Organizations (HDOs) to heavily rely upon IoMT devices that support use cases such as remote device management and remote patient monitoring.
In 2020 alone, 40% of manufactured IoMT devices connected to healthcare networks, a jump from 20% in 2018, according to verbal customer validation by one of our customers. In fact, the Food and Drug Administration (FDA) approved 54 new medical devices last year like implantable nerve systems and automated external defibrillators (AEDs)1. Beyond the four walls of a healthcare delivery organization (HDO), Gartner’s IoT Healthcare 2021 Forecast Data is expecting 21% CAGR for healthcare device growth to 873 million in 2025.
Security is the Fundamental Enabler of IoMT
With all this being said, one of the main drawbacks of IoT in healthcare is the lack of security by design, leaving the serious responsibility of protecting medical devices solely in the hands of HDO security teams.
The proliferation of unmanaged and unaccounted IoMT devices, their disparate nature, lack of security by design, dependence on unsupported operating systems, along with network and internet connectivity considerably widens the attack surface. Recent advisories, like this one on a TrickBot ransomware campaign, identify healthcare as a prime target for attackers, heightening the concern around IoMT. In 2020, Palo Alto Networks Unit 42 analyzed 1.2 million IoT devices located across enterprises and healthcare organizations, bringing to light some stunning facts and helpful tips on protection these devices:
- 72% of healthcare VLANs mix IT and IoT (or IoMT) devices
- Mixing IT and IoT devices on the same network allows malware to spread from users’ computers to vulnerable IoT devices, or vice-versa, making it easy for actors to move laterally.
- A best practice for segmenting your HDO’s network is to base it on medical device type, threat levels, usage patterns, and other device profile characteristics using VLAN configurations or NGFW policies, and paying extra attention to north-south communications.
- 41% of attacks exploit vulnerabilities in IoT devices
- Sophisticated IT-borne attacks scan for medical devices to exploit known weaknesses and gain access to unencrypted patient identities on IoMT, or other corporate data, and sometimes for monetary profit via ransomware.
- The gap between IoMT, OT, and IT security best practices enables attacks that IT has otherwise been immune to. In parallel to basing segmentation on identity, network teams can further segment IoT devices by security level—for instance, by separating those running on end-of-life OS from those with up-to-date security patches.
- Io(M)T devices are vulnerable themselves with 57% vulnerable to medium to high severity alerts
- Due to the generally low patch level of IoMT assets, the most frequent attacks are exploits via long-known vulnerabilities and password attacks using default device passwords.
- A best practice for reducing alerts is to set a baseline for normal trusted device behaviors and closely monitor them for any anomalous and deviant behaviors. Additionally, implementing processes to modify default vendor credentials on device deployment and monitoring for out of band network, IP or port scans, can also aid in reduction of attack surface.
- 83% of imaging devices with old unsupported OS, a 56% jump from 2018
- IoMT devices with unpatched vulnerabilities put every HDO’s security and privacy at heightened risk.
- With so many IoMT devices running on end-of-life operating systems (OS), healthcare organizations can deploy active monitoring, inline anti-malware or antivirus tuned for IoT, identify vulnerabilities potentially through an intrusion prevention system (IPS) with custom signature rules for threat detection, or use behavioral analysis technology to identify out of band activity.
Diving deeper, any exploited vulnerability in IoMT enables cybercriminals to take a number of malicious actions that include seizing control of the medical device, stealing sensitive patient health, personal, and insurance information (ePHI), stealing proprietary clinical records, obfuscating network traffic, disrupting healthcare delivery processes, ransoming the device to turn a profit, or just plain lateral movement into the IT network.
As damaging as these cyber activities can be, they’re the tip of the iceberg. Cybersecurity incidents aren't going anywhere and are bound to get more egregious as the world continues to grapple with the COVID-19 crisis and its aftermath. Healthcare organizations are in urgent need to proactively tackle IoMT security challenges head on.
The most basic step in securing IoMT begins with obtaining trusted visibility and classification of all IoMT devices across hospital networks, data centers, endpoints, remote clinics, and mobile assets. By doing this, healthcare IT teams will be empowered to take a proactive “prevention-first” approach instead of an “alert-only” reactive approach to keeping medical devices safe from potential threats.
At Palo Alto Networks, we are on a mission to relieve healthcare CISOs from the necessary burden of putting a robust medical device security strategy in place, freeing their organizations to focus on bringing about positive patient outcomes.
For more information and IoT security best practices your organization can deploy, read the full 2020 Unit 42 IoT Threat Report.