The rise of medical device hacking: How strong is your network security?

July 19, 2019
By Jonathan Langer

In recent years, cyber threats have become increasingly sophisticated in terms of attack methods, the degree of damage inflicted, and their ability to circumvent existing security measures. While cyberattacks affect all sectors of business, of late, there has been a dramatic rise across the globe in attacks targeting healthcare and private patient data. In Q3 of 2018 alone, 4.4 million medical records were compromised, according to Protenus Breach Barometer.

IDC estimates that there will be 41.6 billion IoT devices in the field by 2025, with device data growing exponentially as well. By that time, data hackers will have a playground at their fingertips. Of those devices, 40% will be healthcare or medical devices. Due to the sensitive nature of their work, it’s incredibly important for hospitals and healthcare delivery organizations (HDOs) to ensure that any device connected to the network is secured and properly managed.

Along with the rise of healthcare-related cyberattacks, comes an increased need for more sophisticated defense strategies. Simply implementing a general security solution will not suffice. Hospitals and HDOs need a complete solution that understands how both medical and non-medical devices are supposed to interact within a healthcare environment, as well as those that are susceptible to attacks.

Understanding the types of cyberattacks that target IoT devices
As the technology to prevent and detect cyberattacks becomes more advanced, so do the methods hackers use to get through to the devices with valuable personal information. The average cost of a breach was $3.86M in 2018, according to Ponemon. While there are many methods hackers leverage to attack IoT devices, there are some common attacks to be aware of in the medical field. For example, attacks aimed at obtaining personal medical information capitalize on the lack of multi-tiered defense of medical devices to extract such information. Alternatively, attackers target medical equipment as part of their attack vector to reach enterprise servers that house electronic medical records (EMRs).

Further, many attacks have the objective of disrupting medical treatment provided to patients, thereby posing a significant health risk. A large portion of contemporary medical treatments rely on data and measurements that originate from networked medical devices. Cyber attackers can exploit this dependence and tamper with the data and measurements, resulting in the administering of erroneous medical treatment (e.g., incorrect dosage of medication, misdiagnosis of diseases, etc.)

Finally, one of the most popular methods of cyber-criminals involves ransomware and malware. In May, it was reported that 40% of HDOs were attacked with WannaCry Ransomware over a six month period.

Today, there are still many healthcare organizations that are ill-equipped to effectively monitor, prevent and detect cyber threats. Some are, at times, totally unprepared. What’s critical is having one solution in place that can effectively monitor all network traffic that’s occurring in every device connected to an organization’s network(s).

What’s at risk?
The reality is, the more connected devices there are that live on the same network as a patient’s medical data, the more opportunity available for cyber criminals to hack. Although IoT devices allow for closer monitoring, automated data delivery and real-time analysis, it’s important to acknowledge all possible risks so that measures are taken to avert them. Today, patients are connected to devices such as digestible sensors, smart medical beds and blood glucose monitors, which are merely a few examples of the devices patients may encounter. The fact of the matter is, devices such as printers, computer accessories and even VoIP phones all present individual risks, and any of these common devices on the healthcare organization’s network can become a point of entry for an attack.

To add to the possibilities of attack, this past June the U.S. Food and Drug Administration issued a warning about possible risk of hacking for some diabetes patients’ insulin pumps, which are small computerized devices that deliver insulin therapy to patients in continuous doses or as a surge around mealtime. This is yet another example of both innovation from the cybercriminal expertise, and a call to action for security solutions to actively protect all patients’ connected devices.

Does monitoring and mitigating threats need to be complex?
Matching cyber criminals’ activities one-to-one with mitigation efforts is time-consuming and complex. Implementing a singular solution that monitors and protects all IoT devices — enterprise, clinical and medical — creates a more seamless security approach, where every device connected is automatically recognized, monitored and protected. Essentially, streamlining threat detection and prevention efforts within one solution helps HDOs minimize scrambling between dashboards to discover if a threat on the network exists, and ensures they’re all being protected with the same quality standard. While the hospital works tirelessly to ensure the health and livelihood of each patient, putting an effective solution in place to ensure the workflow isn’t interrupted is essential.

In practice, healthcare networks have wide-ranging equipment and devices often running on old operating systems such as Windows XP and Linux. These systems are exposed to dozens of vulnerabilities that have been identified and reported on extensively. This is the warning shot to HDOs that their medical equipment is even more vulnerable to a breach. With so many devices, communication protocols and varying patching cycle, it’s imperative that the solution can carry out the following best practices:
• Keep an updated inventory of all connected medical devices and other IOT assets
• Introduce a viable risk assessment process that outlines the most important assets in the environment
• Segment critical assets to significantly decrease the attack surface

Not all security solutions are created equal
Discovery of medical devices and clinical policy enforcement requires a very granular understanding of each individual medical device and its unique behaviors. To reach that level of granularity requires decoding the different proprietary protocols that the multitude of manufacturers use. Deep packet inspection is the only technique that provides that capability; machine learning and artificial intelligence can’t.

Most organizations have state-of-the-art and powerful enforcement solutions such as NGFWs and NACs. But it’s not clear to them which policies are to be enforced or the best practices. Those questions are usually pushed to professional services vendors and clients from the manufacturers. In a general IoT setting, those answers are already defined and generally accepted. In a clinical setting, it’s almost non-existent. A security vendor has to be able to understand the device protocols and clinical workflows, which come from deep packet inspection, in order to set clinically-based based policies. With those, HDOs know what is allowed on the network, which policies should be enforced and which devices are vulnerable and therefore should be prohibited from going on the network.

Having the visibility data and policy profiles based on clinical workflows also drives network segmentation enforcement. For instance, a NAC can now be leveraged to segment different clinical devices of different device types to disallow communication with each other. A firewall can be leveraged to allow some internet communications to certain web domains and disallow others.

Understanding the details about a device security solution will ensure it can support all of your security initiatives from an IT, IS and clinical engineering perspective, and will make the existing infrastructure far more effective in a clinical setting.

The data security industry has made amazing strides in protecting thousands of organizations around the world. Our work is far from done, and with the number of devices being introduced to make healthcare more streamlined, and data easily accessible by the patient, risks will continue to surface. The question is, is your healthcare organization fully prepared? Because it’s entirely possible that the smallest vulnerability can make the biggest impact.

About the author: Jonathan Langer is the CEO of Medigate.