As CIO’s and CISO’s who walk the halls of healthcare institutions know all too well, the number of devices being enabled in the Internet of Things and Internet of Medical Things around us is exploding exponentially. With this explosion, complexities arise in security, data collection, storage, and especially lifecycle management. Devices have varying degrees of security and lifespans that range from two years up to 15 years, adding complications to management strategies.
Medical devices are the next perfect storm as a security threat vector and lifecycle management is now becoming predicated on risk and security vulnerabilities within the legacy device ecosystem. Hackers increasingly turn to medical technology used by providers as the next mechanism to commandeer and attack networks and hold organizations for ransom. Medical IoT devices are connected to a vast array of sensors, monitors and numerous applications making them an ideal entry point into the larger hospital networks and an easy way to propagate attacks to other systems.
The FDA started to make cybersecurity a priority in 2013 as a requirement for connected medical devices; however, due to the long development cycle of these devices and long time to get certified for use in the market, the rollout is slow. This will result in a significant lag in the introduction of connected devices that have embedded cyber threat resilience components that can thwart modern threats. This creates an incredibly complex lifecycle management challenge for healthcare technology.
Cybersecurity challenges are now becoming the primary driver for lifecycle management of medical technology. Older compromised systems present a sizeable risk to cybersecurity and leave every member of the C-Suite asking how to tackle this challenge. Often these systems have little to no update capabilities, are outside of vendor support or have been replaced with newer, better supported product lines. Vendor support for cybersecurity vulnerabilities typically takes time to create, test and patch before they can be deployed across the entire device population. As an example, an EEG monitor has a typical lifespan of 10 years. During that period security vulnerabilities will change and morph making it difficult for manufacturers to keep pace with the cybersecurity threat landscape. Even worse, securing these devices ultimately rests on the provider.
One must keep in mind that vulnerability testing is complex because of the various systems, subsystems and chipsets that are embedded in these devices. Most organizations simply do not have a $10 million budget to create a lab or staff who has the functional expertise to effectively perform hardware and software vulnerability testing with the rigor required to pass a security audit. Organizations must hire vendors who have the needed technical expertise, specialized staff and equipment in ferreting out vulnerabilities in purpose-built devices. It is not enough to perform a software scan on a device and assume it is secure.
So what approach should an organization take to lowering their risk on medical devices with varying usable lifespans and cybersecurity protections?
Evaluate Your Environment For Risk
- Identify devices that are end of life. These devices will have no updates released, which exposes them to risk. Furthermore, discovered vulnerabilities may not be announced by the company. We recommend you replace these devices with supported systems.
- Identify systems that are no longer covered by service contracts or lack current operating systems capable of being secured. This issue is similar to devices that are end of life, and should also be replaced or covered by a new service contract.
- Audit prospective vendors security, patch management and cyber-security countermeasures to ensure satisfactory risk mitigation
- Contract for penetration testing of on premise devices. It’s important to cover both the hardware and software of the device in this assessment.
- Consider WIFI, Bluetooth, SD card and proprietary RF interfaces as potential areas of compromise on devices. Ensure there are controls in place to monitor and protect devices over all communication protocols. Disable protocols that are not in use if possible.
- Create a risk profile for each device used in your environment and a risk score and then prioritize based on that risk creating a lifecycle management posture rooted in security.
Global Risk And Compliance
- Have an action plan: Create standard operating procedures for what to do when medical devices are compromised
- Create a risk framework for each device to determine what to do if a device is infected with malware or has been compromised by a hacker
- Include medical devices in your governance plan to ensure that compromises are dealt with at an appropriate level and escalation paths are included
- Ensure you have logs for each device with current firmware versions, patches, etc. and ensure you have a process and policy to perform medical device updates.
- Create Incident response plans specific to breaches involving medical devices and have a team assembled. Include retainers for breach mitigation and post-mortem cyber forensics.
By implementing and monitoring the product lifecycle, leaders, CSOs and CISOs can better plan when to introduce new operational technology in the environment. Ensuring that each of these devices will not negatively impact your operations is critical for continuity of care and allowing for the transformative delivery of healthcare services and improved patient outcomes. Implementing a lifecycle management approach to medical device refreshes rooted in a security framework will allow providers to keep pace with the rapidly evolving threat landscape that is currently plaguing the industry, while ensuring compliance and minimizing security threats and vulnerabilities in the process.
Iot Security and BotNets are a hot topic right now because of several high-profile attacks. On September 20, 2016 Brian Krebs security blog krebsonsecurity.com was the victim of such an attack. One of the largest attacks recorded exceeded 620 gigabits per second(Gbs.).[i]
After the Mirai botnet was declared the major culprit in the largest DDoS attack in history it became evidently clear that IoT was the next battleground on the front against Botnets. Striking at the core of Dyn a major domain name service company this botnet wreaked havoc in a 3-wave attack. It shut down major sites across the internet, gaming networks and other online services. “Attackers used the Mirai botnet to overwhelm Dyn’s DNS servers with a whopping 1.2 terabits per second of traffic. Dyn’s DNS servers couldn’t respond to legitimate DNS queries under the load, which rendered Dyn’s customers — including the New York Times, Reddit, Tumblr and Twitter – unreachable”[ii] As we look back through the annals of IoT breach history operational technology systems, consumer devices, medical devices and industrial control systems pose some of the highest risks to be taken over and enlisted as a zombie horde of devices just waiting to unleash havoc on networks with increasing frequency.
In February of 2017 a new threat emerged rooted in a multi-vector attack. A Windows Trojan that harbored IoT attack code was detected in the wild by malware researchers. It essentially looked-for vulnerabilities in Windows computers, infected them with a trojan horse that then scanned for vulnerable IoT devices infecting them with a variant of Mirai IoT botnet code. Why is this important? A computer infected with the trojan is sitting behind the firewall. Now it is scanning for vulnerable IoT Devices behind the firewall effectively circumventing the firewall and intrusion detection systems and taking command of the devices inside your network to launching a DDoS attack from inside your own network or worse. Now machines can orchestrate a DDoS attack using SSDP because they have already successfully bypassed the firewall and other defense mechanisms.
The challenge however is that SSDP can lead to a 30x amplification of the attack. The Windows Mirai Spreader essentially flipped the script on what we believe to be innocuous devices on our own internal networks. This invariable will gain more importance as IoT 4.0 implementations happen in buildings, cities, industrial controls and vehicle networks. As attackers grow more sophisticated in their approaches we are not beyond the realm of polymorphic IoT attacks targeting command and control server environments causing servers or devices to return adaptive malicious code which fits the specific task it has been assigned to do.
Ever increasing complexity of the delivery systems now poses an even greater threat. Imagine you are a hospital with thousands of medical devices connected to your network. Someone infects those devices and they launch an internal DDOS attack against the network. Suddenly your operational systems are shut down at a hospital crippling scheduling system, billing systems and other infrastructure and thereby causing the facility to have to shut down. It would no longer be able to schedule procedures to occur and even worse force the relocation of patients to other facilities. The potential is there for a Botnet to become the delivery mechanism for crypto lockers. Essentially ransoming medical devices, operational controls, elevators or any device within the IoT realm. The effects on facilities could be catastrophic and even potentially life threatening.
Now we are facing Reaper. It is gathering a horde of devices. It is estimated that Reaper has over 2m troops and it could grow to 3.5m or more. It is currently growing at a rate of 88k a day according to Krebs on Security. Much of Repear is built on the same foundation as the Mirai botnet which was incredibly successful. The approaches of each are different. Mirai used a known list of default passwords to compromise IoT devices and turn them into an army of DDoS troops. However, Repear appears to be much more methodical in it’s approach. It is constantly trying numerous weaknesses until it infiltrates the machine. Reapers method is faster and easier, and it can learn new vulnerabilities as it discovers them. Checkpoint believes that attacks were coming from many different countries totaling approximately 60% of corporate networks which are part of the ThreatCloud Global Network.[iii]
Although the author of Mirai was recently identified and arrested and sentenced the author of the Repear botnot is unknown. Therefore, it is better to be safe than sorry and anyone with IoT devices should investigate their safety as soon as possible. As leaders responsible for stopping threats to operational technologies, IoT systems & devices and ensuring the overall security of your network you must take steps to ensure you minimize the risks from IoT devices & Botnet attacks
Recommended steps should organizations take to secure IoT devices:
- Conduct security evaluations of all IoT hardware being used both inside and outside the firewall including testing the physical hardware for vulnerabilities, whitebox testing software, and penetration testing your IoT network and devices.
- Start at the bottom at the chip level. Cases have already shown nefarious code implanted in chips. Perform hardware penetration testing at the chip and board level.
- Limiting remote access to the devices to only administrators.
- Ensure you have strong authentication mechanisms if remote access is needed. Strong unique non-sequential passwords for devices and include a second authentication factor.
- For administrator and user services require strong authentication to systems and supporting software.
- Include logic to verify updates before any changes to the devices are made to ensure only authorized software and firmware are used.
- Utilizing an MSSP to manage security of IoT devices to better react to threats and stop any exploit before it becomes more prolific and attacks non-IoT portions of your network.
[i] KrebsOnSecurity: KrebsOnSecurity Hit With Record DDoS
[ii] Forbes Technology Council: Distributed-Denial-Of-Service Attacks And DNS
[iii] Checkpoint Research: A New IoT Botnet Storm is Coming