Recent high-profile ransomware attacks on hospitals have once again demonstrated the vital importance of securing healthcare IT infrastructures. When cyberattacks have the potential to cause morbidity and even loss of life, it’s absolutely imperative to understand and mitigate vulnerabilities in the technology environment and cultivate the strongest cybersecurity posture possible.
Medical campus environments present a complex set of challenges and rapid digital transformation is pushing the boundaries. IT infrastructure is converging with operational technology (OT), which supports building management and operations, and also with IoT, which supports cameras, thermal cameras, biomedical engineering clinical devices and much more. With the expansion of the digital landscape, a rise in BYOD, and a growth in the number of workers moving outside the corporate network, the security perimeter has dissolved and the attack surface rapidly increased.
Given the complexity of the cybersecurity challenges that hospitals and healthcare organizations face as IT and OT infrastructures converge, this is no easy task. Rapid digital transformation is collapsing the boundaries between IT networks and devices and technologies that were formerly separated by air gaps. These include OT underpinning building management and operations, Internet of Things (IoT) devices including thermal cameras, patient monitors and equipment trackers, as well as biomedical engineering systems supporting clinical devices. The global COVID-19 pandemic has further complicated the situation, coupling the recent expansion of the digital landscape with a great increase in work-from-home for non-essential workers and corresponding uptick in BYOD. The end result has been a swift expansion of the attack surface.
The convergence of IT and OT infrastructures is exposing healthcare IT infrastructures to the inherent vulnerabilities in these devices, some of which have little to no integrated security, and many of which are incapable of receiving firmware updates. In these environments, uptime and reliability are critical to patient care delivery models, which can make altering the clinical operational procedures to deal with potential cyberattacks a very disruptive proposition. Not all healthcare cybersecurity programs function at optimal levels of maturity, and not all have access to as many resources –budget and staffing – as they’d like.
Even as digital transformation amplifies the difficulties of securing healthcare IT systems, however, it’s still possible to make meaningful improvements that will reduce real-world risks. The key is to begin with a holistic view of your environment, balance compliance needs with actual operational readiness, and adopt a strategic approach. We’ve put together a list of the five most important tactics to pursue.
Best Practices for Securing Healthcare IT Infrastructures
Tip #1: Inventory Your Assets
Gain visibility into what’s connected to your network, including devices that aren’t considered part of traditional IT.
Understanding the security vulnerabilities that impact medical devices and networks supporting biomedical systems is difficult in and of itself. Healthcare CISOs must also consider the myriad of systems that support hospital operations outside of the clinical environment. These include everything from digital signage to heating, air conditioning and ventilation controls. They also incorporate physical security controls like badge readers and door locks. Ancillary support equipment designed to enhance patient experience, such as smart TVs, noise regulation systems and guest Wi-Fi networks, are usually present as well. Any of these connected devices might potentially have a vulnerability that an attacker could exploit.
A critical first step in improving your hospital cybersecurity posture is gaining visibility into all of these assets. How many systems and devices are connected to your network? Are any misconfigured? Is every device’s firmware up to date? Do any of them have vulnerabilities that appear on MITRE’s Common Vulnerabilities and Exposures (CVEs) list? Taking inventory allows you to recognize what might become a pivot point or threat vector exposing your broader environment.
Tip #2: Ensure Proper Network Segmentation
Operate mission-critical systems in separate network zones from those that are less essential.
Many healthcare organizations still operate relatively flat networks, leaving them vulnerable to attacks that move laterally across the environment after exploiting a vulnerability in a medical device or other operational technology (OT) system that’s inherently insecure. Medical device lifespans are typically much longer than those of IT hardware, so most older devices in use are likely to have been built before current FDA cybersecurity guidance came into force. These systems remain difficult if not impossible to secure with post-market modifications.
Putting network-level controls in place to build segmentation and enforce distinct zones for different device types should be an especially high priority for organizations lacking the budget to replace these types of devices.
Tip #3: Increase Governance
Make sure you have proper policies and procedures in place to deal with the changing threats across the cybersecurity landscape.
Increasing a healthcare organization’s cybersecurity maturity goes beyond implementing best-of-breed tools. It must also take into consideration operational and clinical processes are in line with cybersecurity best practices. It’s also paramount to identify the areas where you face the greatest risks and begin by making changes there first.
Key components of strong cybersecurity governance include:
- Developing incident response procedures. These should include detailed playbooks explaining what stakeholders will do in case of an incident or breach. Conducting tabletop exercises enhances preparedness.
- Employee education. Changes to clinical procedures are far more likely to be successful if employees understand their purpose and importance.
- Integrating compliance with broader risk management strategies. Though regulatory requirements such as GDPR, HIPAA and PCI cannot be ignored, compliance is only one facet of an overall security strategy.
Tip #4: Allocate appropriate resources for security
Without an adequate budget, you’ll encounter endless and near-insurmountable challenges.
Take a systematic approach to cybersecurity spending, prioritizing those investments that are likely to yield the best return in terms of risk reduction. Nonetheless, the operating costs involved in keeping your devices and network secure aren’t negligible. A certain minimum outlay — of money as well as effort — is required to make meaningful progress against the major cybersecurity issues in healthcare.
Tip #5: Maintain awareness of supply chains and the security posture of partners and vendors
Every connected device you bring into your environment has the potential to increase vulnerability, as does every vendor who handles your data or network.
Many medical devices, especially legacy systems, simply weren’t designed with security in mind. In addition, firmware updates intended to add features or functionality may inadvertently introduce security flaws. Keeping track of software, embedded microcontrollers and communication protocols can be challenging even for the device manufacturers themselves. For a hospital tasked with managing tens of thousands of devices, it’s a colossal undertaking.
That’s why choosing hardware that’s secure by design can result in a significant cost savings, even if device costs are initially higher. Ensuring that there’s a secure method of firmware update delivery is also important aspect when evaluating a vendor’s products. Cybersecurity needs to be engaged in vetting vendors at the procurement process.
A similar principle holds true if you’ve outsourced the management of a portion or the whole of your network to a third-party provider. If your hospital makes use of managed services, be certain you’re dealing with a quality vendor who relies on best-of-breed tooling and has a strong record for cybersecurity. It’s a good idea to include a security validation check within decision-making processes when ranking prospective providers. Be sure your MSP has the capability to effectively monitor your network in order to detect anomalous behavior quickly.
As CIO’s and CISO’s who walk the halls of healthcare institutions know all too well, the number of devices being enabled in the Internet of Things and Internet of Medical Things around us is exploding exponentially. With this explosion, complexities arise in security, data collection, storage, and especially lifecycle management. Devices have varying degrees of security and lifespans that range from two years up to 15 years, adding complications to management strategies.
Medical devices are the next perfect storm as a security threat vector and lifecycle management is now becoming predicated on risk and security vulnerabilities within the legacy device ecosystem. Hackers increasingly turn to medical technology used by providers as the next mechanism to commandeer and attack networks and hold organizations for ransom. Medical IoT devices are connected to a vast array of sensors, monitors and numerous applications making them an ideal entry point into the larger hospital networks and an easy way to propagate attacks to other systems.
The FDA started to make cybersecurity a priority in 2013 as a requirement for connected medical devices; however, due to the long development cycle of these devices and long time to get certified for use in the market, the rollout is slow. This will result in a significant lag in the introduction of connected devices that have embedded cyber threat resilience components that can thwart modern threats. This creates an incredibly complex lifecycle management challenge for healthcare technology.
Cybersecurity challenges are now becoming the primary driver for lifecycle management of medical technology. Older compromised systems present a sizeable risk to cybersecurity and leave every member of the C-Suite asking how to tackle this challenge. Often these systems have little to no update capabilities, are outside of vendor support or have been replaced with newer, better supported product lines. Vendor support for cybersecurity vulnerabilities typically takes time to create, test and patch before they can be deployed across the entire device population. As an example, an EEG monitor has a typical lifespan of 10 years. During that period security vulnerabilities will change and morph making it difficult for manufacturers to keep pace with the cybersecurity threat landscape. Even worse, securing these devices ultimately rests on the provider.
One must keep in mind that vulnerability testing is complex because of the various systems, subsystems and chipsets that are embedded in these devices. Most organizations simply do not have a $10 million budget to create a lab or staff who has the functional expertise to effectively perform hardware and software vulnerability testing with the rigor required to pass a security audit. Organizations must hire vendors who have the needed technical expertise, specialized staff and equipment in ferreting out vulnerabilities in purpose-built devices. It is not enough to perform a software scan on a device and assume it is secure.
So what approach should an organization take to lowering their risk on medical devices with varying usable lifespans and cybersecurity protections?
Evaluate Your Environment For Risk
- Identify devices that are end of life. These devices will have no updates released, which exposes them to risk. Furthermore, discovered vulnerabilities may not be announced by the company. We recommend you replace these devices with supported systems.
- Identify systems that are no longer covered by service contracts or lack current operating systems capable of being secured. This issue is similar to devices that are end of life, and should also be replaced or covered by a new service contract.
- Audit prospective vendors security, patch management and cyber-security countermeasures to ensure satisfactory risk mitigation
- Contract for penetration testing of on premise devices. It’s important to cover both the hardware and software of the device in this assessment.
- Consider WIFI, Bluetooth, SD card and proprietary RF interfaces as potential areas of compromise on devices. Ensure there are controls in place to monitor and protect devices over all communication protocols. Disable protocols that are not in use if possible.
- Create a risk profile for each device used in your environment and a risk score and then prioritize based on that risk creating a lifecycle management posture rooted in security.
Global Risk And Compliance
- Have an action plan: Create standard operating procedures for what to do when medical devices are compromised
- Create a risk framework for each device to determine what to do if a device is infected with malware or has been compromised by a hacker
- Include medical devices in your governance plan to ensure that compromises are dealt with at an appropriate level and escalation paths are included
- Ensure you have logs for each device with current firmware versions, patches, etc. and ensure you have a process and policy to perform medical device updates.
- Create Incident response plans specific to breaches involving medical devices and have a team assembled. Include retainers for breach mitigation and post-mortem cyber forensics.
By implementing and monitoring the product lifecycle, leaders, CSOs and CISOs can better plan when to introduce new operational technology in the environment. Ensuring that each of these devices will not negatively impact your operations is critical for continuity of care and allowing for the transformative delivery of healthcare services and improved patient outcomes. Implementing a lifecycle management approach to medical device refreshes rooted in a security framework will allow providers to keep pace with the rapidly evolving threat landscape that is currently plaguing the industry, while ensuring compliance and minimizing security threats and vulnerabilities in the process.
Iot Security and BotNets are a hot topic right now because of several high-profile attacks. On September 20, 2016 Brian Krebs security blog krebsonsecurity.com was the victim of such an attack. One of the largest attacks recorded exceeded 620 gigabits per second(Gbs.).[i]
After the Mirai botnet was declared the major culprit in the largest DDoS attack in history it became evidently clear that IoT was the next battleground on the front against Botnets. Striking at the core of Dyn a major domain name service company this botnet wreaked havoc in a 3-wave attack. It shut down major sites across the internet, gaming networks and other online services. “Attackers used the Mirai botnet to overwhelm Dyn’s DNS servers with a whopping 1.2 terabits per second of traffic. Dyn’s DNS servers couldn’t respond to legitimate DNS queries under the load, which rendered Dyn’s customers — including the New York Times, Reddit, Tumblr and Twitter – unreachable”[ii] As we look back through the annals of IoT breach history operational technology systems, consumer devices, medical devices and industrial control systems pose some of the highest risks to be taken over and enlisted as a zombie horde of devices just waiting to unleash havoc on networks with increasing frequency.
In February of 2017 a new threat emerged rooted in a multi-vector attack. A Windows Trojan that harbored IoT attack code was detected in the wild by malware researchers. It essentially looked-for vulnerabilities in Windows computers, infected them with a trojan horse that then scanned for vulnerable IoT devices infecting them with a variant of Mirai IoT botnet code. Why is this important? A computer infected with the trojan is sitting behind the firewall. Now it is scanning for vulnerable IoT Devices behind the firewall effectively circumventing the firewall and intrusion detection systems and taking command of the devices inside your network to launching a DDoS attack from inside your own network or worse. Now machines can orchestrate a DDoS attack using SSDP because they have already successfully bypassed the firewall and other defense mechanisms.
The challenge however is that SSDP can lead to a 30x amplification of the attack. The Windows Mirai Spreader essentially flipped the script on what we believe to be innocuous devices on our own internal networks. This invariable will gain more importance as IoT 4.0 implementations happen in buildings, cities, industrial controls and vehicle networks. As attackers grow more sophisticated in their approaches we are not beyond the realm of polymorphic IoT attacks targeting command and control server environments causing servers or devices to return adaptive malicious code which fits the specific task it has been assigned to do.
Ever increasing complexity of the delivery systems now poses an even greater threat. Imagine you are a hospital with thousands of medical devices connected to your network. Someone infects those devices and they launch an internal DDOS attack against the network. Suddenly your operational systems are shut down at a hospital crippling scheduling system, billing systems and other infrastructure and thereby causing the facility to have to shut down. It would no longer be able to schedule procedures to occur and even worse force the relocation of patients to other facilities. The potential is there for a Botnet to become the delivery mechanism for crypto lockers. Essentially ransoming medical devices, operational controls, elevators or any device within the IoT realm. The effects on facilities could be catastrophic and even potentially life threatening.
Now we are facing Reaper. It is gathering a horde of devices. It is estimated that Reaper has over 2m troops and it could grow to 3.5m or more. It is currently growing at a rate of 88k a day according to Krebs on Security. Much of Repear is built on the same foundation as the Mirai botnet which was incredibly successful. The approaches of each are different. Mirai used a known list of default passwords to compromise IoT devices and turn them into an army of DDoS troops. However, Repear appears to be much more methodical in it’s approach. It is constantly trying numerous weaknesses until it infiltrates the machine. Reapers method is faster and easier, and it can learn new vulnerabilities as it discovers them. Checkpoint believes that attacks were coming from many different countries totaling approximately 60% of corporate networks which are part of the ThreatCloud Global Network.[iii]
Although the author of Mirai was recently identified and arrested and sentenced the author of the Repear botnot is unknown. Therefore, it is better to be safe than sorry and anyone with IoT devices should investigate their safety as soon as possible. As leaders responsible for stopping threats to operational technologies, IoT systems & devices and ensuring the overall security of your network you must take steps to ensure you minimize the risks from IoT devices & Botnet attacks
Recommended steps should organizations take to secure IoT devices:
- Conduct security evaluations of all IoT hardware being used both inside and outside the firewall including testing the physical hardware for vulnerabilities, whitebox testing software, and penetration testing your IoT network and devices.
- Start at the bottom at the chip level. Cases have already shown nefarious code implanted in chips. Perform hardware penetration testing at the chip and board level.
- Limiting remote access to the devices to only administrators.
- Ensure you have strong authentication mechanisms if remote access is needed. Strong unique non-sequential passwords for devices and include a second authentication factor.
- For administrator and user services require strong authentication to systems and supporting software.
- Include logic to verify updates before any changes to the devices are made to ensure only authorized software and firmware are used.
- Utilizing an MSSP to manage security of IoT devices to better react to threats and stop any exploit before it becomes more prolific and attacks non-IoT portions of your network.
[i] KrebsOnSecurity: KrebsOnSecurity Hit With Record DDoS
[ii] Forbes Technology Council: Distributed-Denial-Of-Service Attacks And DNS
[iii] Checkpoint Research: A New IoT Botnet Storm is Coming