Join 24×7 Chief Editor Keri Stephens as she talks to Daniel dos Santos—head of security research at cybersecurity provider Forescout—about the riskiest medical devices in enterprise networks. The podcast, which follows Forescout’s Vedere Labs’ “2022 Riskiest Devices in Enterprise Networks Report,” reveals into what healthcare providers need to know about the security of the devices they house. Hint: Patient monitors are especially problematic from a cybersecurity perspective.

Dos Santos also discloses how medical devices can be a key entry point for a hospital-wide cyberattack and why cybercriminals target legacy equipment, in particular. Finally, he shares why everyone—from device manufacturers to those configuring the equipment—has a role to pay in medical device cybersecurity.

Podcast Transcript

Keri Stephens:

Hello and welcome to the 24×7 Podcast on the MEDQOR Podcast Network. I’m Keri Stephens, the chief editor of 24×7 Magazine. Today, I’m here with Daniel dos Santos, head of security research at Forescout. A company that recently conducted research looking into the riskiest Internet of Medical Things devices. Daniel, thank you for being here today.

Daniel dos Santos:

Thank you so much, Keri. My pleasure.

Keri Stephens:

We’re really happy to have you. And Forescout recently contributed an article to 24×7, talking about the riskiest medical devices. Can you talk about this study, and what y’all found?

Daniel dos Santos:

Yeah, sure. So we looked at a database of close to 19 million devices that we constantly monitor on our customer networks, to try to understand really what are the riskiest devices on their networks these days. And we divided the findings in IT, IoT, Internet of Things, operational technology, OT, and Internet of Medical Things, IoMT, right? So we covered really organizations that are in the healthcare domain and in other domains as well, in manufacturing, retail and many others. To try to understand what are the vulnerabilities that we see, what are the problems, the weaknesses, and how attackers are attacking those devices these days.

Keri Stephens:

One of the things that we read about in the article, was about patient monitors being one of the riskiest. Can you talk about that?

Daniel dos Santos:

Yeah, indeed. So we actually saw kind of two classes of devices in the healthcare domains that were specifically risky. One was the patient monitors, and the others were basically all or a lot of devices that are related to imaging diagnostics. So everything that runs DICOM and so on. So in terms of the patient monitors, the issue is that there have been several vulnerabilities recently disclosed, that are very critical in many patient monitors from several manufacturers. And the fact also is that those devices are very hard to patch because they are embedded devices that typically run legacy software, and that have a long lifespan from 10, 20, 30 years in some cases. And they are very, very, very popular in hospitals and in clinical settings. So there’s a ratio of sometimes even more than one patient monitor per patient in the hospital. So it really is a device that is very popular, and that presents risk to these organizations.

At the same time, what we see is that those devices are connected to the same network as devices that are less secured let’s say, or less critical. You have devices like personal devices, personal mobile devices and things like that. So network segmentation is definitely still a problem. And the fact that those very critical patient monitors are connected to other devices in the same network, presents attack paths and opportunities for attackers to leverage those.

Keri Stephens:

In the article, they wrote, “The healthcare attack service now encompasses IT, OT, Internet of Things and Internet of Medical Things, environments.” That was not always the case. Can you talk about that, and how the change has really impacted security, particularly medical device security?

Daniel dos Santos:

Yeah, of course. So it has a lot to do with what I was just discussing, network segmentation. The fact is that, there are more and more use cases for digitalization in hospitals in every business, but of course in clinical settings as well. Where you have to connect results from laboratory diagnostic machines to electronic health records, to the financial information of customers, to something that is remotely accessible by a patient from their home. So there is a huge need for connectivity, and a huge integration of different types of devices, different types of technologies in hospital networks these days.

And the problem really is when these devices, these networks are not segmented well enough. Where you have, as I mentioned before, the patient monitor, and maybe a mobile phone, or a doctor’s workstation on the same network. And the vulnerabilities of one might provide an attack path to the other. So the increasing digitalization, increasing use of digital technology in organizations is something that is definitely continuing, and we don’t see any end to it. It’s just going to increase. So what we can do is mitigate this type of risk by having segmentation, and devices well controlled in their own network, so that things don’t spill over from one type of device to another.

Keri Stephens:

And the FBI has also joined this conversation, and have said that risk asset management and vulnerability management are necessary to mitigating the risk to medical devices. Can you talk about this, and why that’s monumental that the FBI is getting involved in this issue?

Daniel dos Santos:

Yeah, so it was very interesting, that notice from the FBI. Because it came almost at the same time as our report. I think it came a little bit before our report, but also at the same time when we were looking at exposed medical devices on the internet, or medical systems, and PAC systems and things like that on the internet. And basically the fact is that there is a sort of perfect storm in healthcare security these days, where you have increased connectivity, you have a growing number of vulnerabilities that are being found by researchers, by the device manufacturers themselves. And it’s still a problem to patch, and to secure those devices.

So what the FBI was mentioning in that private industry notification that they sent was exactly the fact that the vulnerabilities are there, they’re not going away. They’re difficult to patch, so you need to do other things, you need to inventory them well, the device as well. And you need to know what is vulnerable and you need to decide what to do about it. But the vulnerabilities are there, and they’re probably not going away for some time. The number of vulnerabilities is really just increasing as people do more research, and as people find issues on these devices.

Recently, for instance, we were looking into hard-coded credentials, hard-coded passwords in medical devices, and you still see disclosure of this type of issue now in 2022, often for medical devices. And that is something that has been going on for at least a decade. If you go back to the CISA archives, to the ICS-CERT before that archives, there are discussions about hard-coded credentials in patient monitors as we discussed before in our [inaudible 00:06:58] medical devices, dating back more than a decade. So the situation is not changing in terms of the vulnerabilities. We need to do something beyond just find the issues, right?

Keri Stephens:

Yeah. And so 24×7, obviously our audience is the biomeds, the healthcare technology management professionals who know this. They’re very aware that medical devices are vulnerable. And actually we do a salary survey every year, and talk about what worries people the most. And medical device security is always the top of the list. But because our podcast network deals with all different healthcare brands, respiratory, sleep, even orthodontics. Do you think that the rest of the industry is aware of the vulnerabilities of medical devices? Or do you think it’s more of just a certain segment knows? And how do you think people should spread the knowledge that this is a big issue, and your medical devices are very vulnerable to cyberattacks?

Daniel dos Santos:

That’s a very, very interesting question. I do believe that indeed there is more awareness of cybersecurity issues these days, probably in big hospitals, big hospital chains and so on. But not in smaller clinics, or people that are dealing with a certain segment of the healthcare market. And we do need to definitely increase awareness, and talk about these issues are not affecting only the big players. So for instance, if you go even to the ransomware plague, the ransomware epidemics that we see these days, a lot of the attacks started with big players, and then they moved down to smaller organizations that were also vulnerable, and that also then had to pay ransom and so on. So security and healthcare security is a problem that is not just for the big hospitals. We need to spread awareness, but we also need to discuss the actual solutions. As I was talking before, I think that network segmentation is something that has to be understood by everybody.

And the fact is that, whether you have one router with one personal phone and one medical device, or you are a big hospital where you have hundreds of medical devices and hundreds of those personal phones, the ideas are more or less similar. Those things should not be talking to each other, and there should be some rules governing the communication there, so that attackers cannot jump from one thing to the other. Similarly, you mentioned asset inventory from the FBI notification, right? That’s something that, yeah, of course it’s a much bigger challenge in a larger organization. But even in smaller organizations and specific sectors of the market, there are devices that you might not be aware that are connected to your network. And especially things like consumer IoT these days. I don’t know, webcams and all these doorbells, electronic doorbells, and thermostats and things like that. They might be connected to the same networks as your medical devices. And if you don’t have the right type of asset inventory, you don’t even know that those devices are on your network in the first place, or that they are communicating with your medical devices.

Keri Stephens:

Yeah, that makes a lot of sense. To go back to the subject of the article that we did on 24×7.com, it was titled, Can A Patient Monitor Cause A Ransomware Attack? Can you go back to that? That basically a medical device can cause a ransomware attack. And why do you think these bad actors and cyber criminals are targeting medical devices?

Daniel dos Santos:

Yeah, so I think that there are two things. One thing is a medical device causing or starting in a way a ransomware attack, or being the entry point, let’s put it this way, for a ransomware attack. And the other thing is when a ransomware attack for whatever reason or any sort of cyberattack, affects a medical device as the impact part of the attack, not as an entry point. So we need to divide this two issues. So the second issue where the impact happens on a medical device is becoming more and more and more common these days. And it’s often the case that these attacks are actually spilling over from IT devices from the doctor’s workstations, or the servers that host financial information, health records and so on, to medical devices because of the issues I’ve been mentioning with network segmentation.

Because many medical devices still run legacy systems, and are on the same network, and these things might just be spreading there on the network. So this is something that is becoming much, much more common, and we definitely need to pay attention. There are several examples of healthcare and patient care being either delayed or canceled, or a big impact on healthcare delivery because of ransomware attacks. On the other side, a medical device actually being the entry point for a ransomware attack is something that is much more rare, but it’s something that we should open our eyes to, in the sense that…

As I mentioned before, one of the other studies that we were doing recently was about exposed medical systems and medical devices on the internet. And you would think that you wouldn’t find many medical devices exposed online. Well, there are many, many things still exposed. One of the risky types of devices that we saw on the report was everything that is connected to DICOM and to imaging diagnostics.

So it’s not the case that you may see a CT scanner directly connected on the internet, but you’ll see some systems that are connected to that CT scanner, some PAC systems that will then be exposed. And those may provide an entry point to ransomware. At the same time, if organizations don’t pay enough attention, and for whatever reason there is a medical device that is exposed online, it could provide an entry point for ransomware. Whether that is a patient monitor as is in the title of the article, or an imaging workstation, or a CT scanner or something like that, that I mentioned before. So there is a possibility. It all depends on how networks are configured, and how much attention is being paid to the devices and to how they’re connected internally. But there is definitely a possibility for that.

Keri Stephens:

Great. And as a last question, you’re obviously in a security sphere, so you have a lot more knowledge than the average listener. This is your boiler, what would you like to tell the listeners of the MEDQOR Podcast Network about cybersecurity, particularly as it relates to medical devices?

Daniel dos Santos:

Yeah, so I think the first thing is that we need to be aware that cybersecurity is an issue that is now, it should really be top of mind for everybody who is dealing with connected devices. Whether you are a practitioner at a clinical setting, or whether you are the CSO of a hospital, or whether you are a doctor or a nurse, you need to think that those devices are connected to other devices that in turn, at some point, will have a connection outside. And that people can somehow make money or cause disruption, cause destruction, by leveraging those devices.

And the fact is, everybody has a role to play. From device manufacturers to the people configuring those devices, to the people using those devices. So everybody can think of what they can do to improve cybersecurity. Again, if you’re just using a device, maybe you have a password that you shouldn’t be sharing with other people. Or maybe when you are leaving the room, you should lock the screen of the device so that somebody cannot physically come in and use that device for an attack.

And if you are configuring the network where those devices sit, you have to be thinking about cybersecurity as a very important element. So it’s not just connectivity and enabling the use cases that you need to enable, but you need to enable cybersecurity also on that network. So I believe that really thinking about the role that you can play in a big chain of events and a big line of people that are helping to protect clinical environments, is a message that I would like to leave.

Keri Stephens:

Thank you. Well, Daniel, this has been so informative. Thank you so much for joining me today. To our listeners, thank you for joining us as well. As always, be sure to subscribe to the MEDQOR Podcast Network to keep up with the latest 24×7 Podcast episodes. And be sure to check out 24x7mag.com for the latest industry news. Until next time, take care. Thank you.