The healthcare ecosystem has become more connected with the increasing use of Internet of Things (IoT) devices, and these medical devices introduce vulnerabilities into healthcare organizations. While infusion pumps are the most widely deployed connected medical devices, a recent study found that these devices are not the leading cause of security issues. In fact, imaging systems, the source of 51 percent of all security issues, rank as the top security risk, the study found.
Researchers at ZingBox, a Mountain View, Calif.-based Internet of Things (IoT) security software company, detected, identified and analyzed the behavior of medical devices deployed in more than 50 hospitals, clinics, and other healthcare locations. The researchers looked at a wide range of medical devices, from infusion pumps and patient monitors to imaging systems and medical device gateways, highlighting vulnerabilities in hospital networks and shedding light on the causes of common security events.
According to the report, over the course of 2017, the researchers analyzed tens of thousands of devices resulting in security issues covering vulnerabilities from user issues to outdated software. The study aimed to examine the makeup of a connected healthcare ecosystem and the common vulnerabilities introduced by IoT medical devices. The study findings also shed light on the environment of the medical devices including the network topology and segmentation, identifies the most common security issues plaguing the connected medical devices and recommends strategies to address these vulnerabilities.
Xu Zou, ZingBox CEO and co-founder, said the study results help to pinpoint not just where the vulnerabilities are, but what types of issues are triggering security issues.
“The report's findings closely mirror what we have been hearing from our customers about incidents, risks, and related challenges. Many organizations don't have a clear picture of the vulnerabilities on their networks — or even what devices are connected on those networks,” Zou said.
According to the report, the most common types of security risks were found to originate from user practice issues, such as using embedded browsers on medical workstations to surf the web, conduct online chat or download content, which accounted for 41 percent of all security issues. Use of unauthorized applications (22 percent) and browsers (18 percent) make up the bulk of user practice issues and are the leading security issues for connected medical devices
This was followed by outdated OS or software such as the use of legacy Windows OS, obsolete applications and unpatched firmware, accounting for one-third (33 percent) all security risks found on connected medical devices.
The study found that close to half (46 percent) of all connected medical devices are infusion pumps, which represent potentially the largest attack surface for cyber threats. The study notes that the industry practice of device segmentation, if not configured correctly, can have a disastrous effect on such large numbers of devices. Lack of segmentation can have an unfortunate side effect of accelerating attacks and infections should a single device in the network be compromised. Despite the large attack surface, only two percent of security issues were due to infusion pumps.
“It is interesting to point out that while infusion pumps make up nearly 50 percent of connected devices in hospitals, they don't represent the largest cyberattack surface,” Zou said. “Security issues relating to infusion pumps were only at two percent. However, attention to protecting these devices should still be a priority since a successful attack on a single infusion pump could result in disabling the bulk of all infusion pumps through lateral movement and infection.”
Imaging systems are the second most common medical device deployed in healthcare organizations, according to the study, at 19 percent. Patient monitors are the third most commmon medical device, as 17 percent of organizations deploy these devices. In the study, the category of imaging systems not only includes X-ray, ultrasound, and magnetic resonance imaging (MRI) machines, it also includes image viewers, digital imaging and communications (DICOM) workstations, and picture archiving and communications (PACS) servers. Many of these devices are based on Windows OS and include apps such as web browsers, making them vulnerable to threats exploiting OS and application vulnerabilities, the study notes.
As noted above, imaging systems were found to have the most security issues, accounting for about half of all security issues across tens of thousands of devices included in the study.
Thet study notes that several characteristics of imaging systems attribute to it being the most risky device in an organization’s inventory. “Imaging systems are often designed on commercial-off-the-shelf (COTS) OS, they are expected to have long lifespan (15-20 years), very expensive to replace, and often outlive the service agreement from the vendors as well as the COTS provider,” the study authors wrote. “The distributed nature of imaging systems with devices, servers and various nodes interconnected, also contributes to many security issues.”
Imaging systems also have the most number of network applications of all connected medical devices included in this study with an average of seven network applications per device.
Micro-Segmentation is considered a standard practice of limiting lateral infection or movement and at the same time, enable efficient device management. By placing devices in Virtual LANs (VLANs), organizations can isolate like devices from other device types, the study states. The benefit of micro-segmentation can only be realized however, if organizations follow a sound practice of implementing and maintaining them on a regular basis.
The majority of hospitals (88 percent) have less than 20 VLANs containing medical devices. According to the researchers, this is far too few VLANs to successfully implement a micro-segmentation strategy for practically any size healthcare organization.
The study findings indicate that organizations are either not implementing enough micro-segmentations (as illustrated by the low number of VLANs, with 43 percent of organizations having 10 VLANs and 45 percent with 20 VLANs) or have gone to the other extreme of over segmenting the network, as noted by 100+ VLANs (two percent of organizations). The researchers expect more organizations to fill in the area in between as they implement tools and processes to gain additional visibility into the device context and use it for onboarding.
The study also found that medical devices are not the predominant devices found in medical VLANs. In fact, medical devices make up less than a quarter (23 percent) of all devices. PCs make up the largest device type in a typical medical VLAN at 43 percent. Aside from PCs, other non-medical devices such as printers, IP Phone, and surveillance cameras can also be found.
The study authors also contend that most connected medical devices cannot be protected via traditional IT means. With the advancements in AI and the focus on solutions specific to IoT devices, healthcare providers now have the tools to gain the visibility necessary to better protect and manage their devices and networks. Healthcare providers also can now get real-time insights into the medical devices deployed, network configuration and topology, security risk for each device, and their operational efficiency.
The report offered a number of recommendations:
- Base security strategy on an accurate inventory of devices and network configurations.
- Control rogue application and communications. Applying contextual enforcement policies based on the individual device types can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.
- Develop strategies for top vulnerabilities and risks