By Daniel Trivellato, VP of OT & IoMT Solutions, Forescout

Headlines about healthcare workforce shortages are nothing new. For at least a decade, the deficit has been deepening as both physicians and clinical staff approach retirement age. Between short-term burnout from the COVID-19 pandemic and a long-range pipeline deficit, health systems face a “historic workforce crisis” according to AHA. There are no easy answers. Meanwhile, another critical labor shortage plagues hospitals: cybersecurity workers.

According to Cybersecurity Ventures, the shortage within the IT/cybersecurity sector is nearly unmatched: Between 2013 and 2021, the number of unfilled cybersecurity positions increased from one million to 3.5 million. Finding workers with knowledge of Internet of Medical Things (IoMT) and connected medical devices is especially hard.

Identifying Healthcare-specific Cyber Challenges

Attractive Targets: According to the 2022 Cost of a Data Breach report, for the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs of any other industry. The average cost of a healthcare data breach rose to $10.1 million per incident between March 2021 and March 2022, up 41.6% from the previous period.

Attackers know healthcare organizations are more likely to quickly pay the ransom to get encrypted data back and protect patient safety; they cannot afford to let medical equipment go offline or malfunction, nor release personal health information.

Direct Threats to Patient Care: Electronic health record (EHR) downtime and emergency department (ED) diversions are common after a successful cyberattack, but increasingly such attacks are threatening direct patient care.

Last September the FBI issued a private industry notification to healthcare entities (following a 2020 ransomware alert), warning that unpatched and outdated medical devices often lack adequate security features, providing threat actors with opportunities to exploit vulnerabilities. Susceptible devices include “insulin pumps, cardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps,” which can be compromised “to give inaccurate readings, administer drug overdoses or otherwise endanger patient health.”

The FBI notification followed on the heels of similar warnings from CISA, the HHS, the FDA, and the Treasury Department.

Insecure by Design: The rise of ransomware attacks against healthcare organizations, record-setting breaches and the widespread vulnerabilities associated with medical devices are symptomatic of an underlying condition: many medical devices are insecure by design and challenging to protect.

Internet of Things (IoT), operational technology (OT), and IoMT are non-traditional device categories that share one common denominator: they are insecure by design. Vedere Labs, which is the cybersecurity research arm of Forescout Technologies, is known for its research into these devices, including supply chain vulnerabilities in underlying software components and the insecure-by-design practices of vendors for whom security may be an afterthought. It’s research findings include:

  • Access:7 – Discovered seven supply chain vulnerabilities impacting medical and IoT devices that, if exploited, could enable hackers to remotely execute malicious code, access sensitive data or alter device configurations
  • NUCLEUS:13 – Revealed 13 vulnerabilities affecting the Nucleus TCP/IP stack used in safety-critical devices such as anesthesia machines and patient monitors
  • R4IoT – Used a hospital setting to demonstrate how proof-of-concept ransomware could exploit an IP surveillance camera to gain access and move laterally in an IT network and crash the HVAC system to disable fans and electricity on patient floors

Parallel Challenges with Other Critical Infrastructure Industries

Like OT systems that control critical infrastructure and manufacturing processes, medical devices traditionally weren’t connected to the internet or IT networks. They weren’t built with security in mind and frequently still require insecure legacy systems to operate. Adding controls later can be difficult. Today, these same medical devices have become hyper-connected to IT networks and cloud, where they’re often the weakest access point.

Added regulatory requirements make it hard for medical device manufacturers to publish patches without time-consuming FDA review cycles. Even when patches are made available, because medical devices are mission-critical, proprietary and often decades-old, they can be difficult to update.

Likewise, IT security tools were not designed for clinical networks, so most organizations lack visibility into these devices. Cybersecurity sits within the IT department. IoMT and medical devices are typically managed by biomedical or clinical engineers, whose primary concerns are quality assurance, inventory tracking, regulatory compliance and hardware maintenance. Their job is to ensure the right device is available to the clinician and patient when needed.

This false dichotomy is not unique: Critical infrastructure operators and manufacturers face similar challenges. OT engineers—the asset owners—are primarily concerned with productivity and uptime, not cyber risks. Again, their IT counterparts may have little visibility into OT device inventory and status. However, as OT, IT, IoT, and IoMT networks continue to converge, so must their oversight.

Further reading: 5 Elements of a Comprehensive Cybersecurity Strategy

The Riskiest Connected Devices in Healthcare

Recently Forescout’s Vedere Labs analyzed data from almost 19 million IT, OT, IoT, and IoMT devices in its cloud data lake to determine the riskiest connected devices commonly found on enterprise networks. Most of them are perennial favorites such as networking equipment, VoIP, IP cameras, and building programmable logic controllers (PLCs), with hypervisors and human-machine interfaces (HMIs) joining the list in 2022. These devices are frequently exposed on the internet, critical to business operations and typically have unpatched vulnerabilities that can be exploited.

As businesses, health systems are susceptible to these mainstream device risks. But they must also worry about insecure medical devices. As part of the analysis, Vedere Labs identified these five riskiest devices:

  • DICOM workstations
  • Nuclear medicine systems
  • Imaging devices
  • PACS
  • Patient monitors

The first four are all used for medical imaging. These machines commonly run legacy IT operating systems and are designed to facilitate easy sharing of medical imaging data (and sensitive patient data), which is a high priority for patient care. The DICOM standard is commonly used for sharing files and wasn’t developed with security in mind. While it does permit the encryption of data in transit, such encryption isn’t activated in many hospitals. That means medical images are transmitted in clear text and can easily be intercepted and tampered with.

Patient monitors are also among the riskiest IoMT devices. They’re ubiquitous in patient care settings and often use using unencrypted protocols, allowing communications to easily be intercepted and tampered with. For example, a bad actor could prevent an alert triggered by a change in the patient’s vital signs from being received.

Healthcare Is Different… Except When It’s Not

The phrase “healthcare is different” is a common refrain among stakeholders, from administrators to providers to payors. Patients don’t make normal consumer choices, physicians aren’t just businesspeople, lives are on the line.

When it comes to cybersecurity, however, healthcare is a lot like every other industry, especially manufacturing. Because standard practices such as vulnerability scanning and patching are often not possible, preventive cyber hygiene is critical. That includes:

  • Asset management: What is connecting to your network and where it is located, physically and logically? Visibility is the foundation—you can’t protect what you can’t see.
  • Risk and compliance: Is the asset critical to the business? Is it vulnerable? Is it configured and operating as expected? You can’t remediate what you aren’t aware of.
  • Network segmentation: What other asset types does the asset communicate with, over what ports and protocols? Context-aware segmentation policies can reduce the attack surface without disrupting desired communication flow.
  • Network access control: Should communication be limited or blocked? Proactive controls can authorize access and assign users and devices to network segments or quarantine devices based on their security posture.
  • Continuous monitoring and threat detection: Are any threat actors trying to exploit a network, and how can they be stopped? With thousands of alerts firing every hour, you need to harness data intelligence to isolate true detections from false positives.
  • Incidence response: Can threats be contained with the available security tools? With the right tools you can write policies to orchestrate the right response, every time.

Security Automation or Bust

Even without the persistent cybersecurity skills shortage and healthcare-specific challenges, security automation is a must. There are too many device types, too many threat actors and too much data to sift through to rely on manual processes.

An automated security process can continuously share devices context across all security tools, orchestrate workflows across those tools and accelerate response actions, such as applying controls and enforcing compliance. That leaves security teams time to focus on what truly requires human intervention. At least for now, that’s more than enough.

About the author: Daniel Trivellato, VP of product & engineering at Forescout, is responsible for driving the Forescout IoT and OT device visibility and threat detection roadmap and teams, to deliver market leading solutions for customers. Trivellato joined Forescout in 2018 via the acquisition of the cyber security startup SecurityMatters, which he joined in 2012.