By Elisa Costante

For the past few years, the healthcare industry has been constantly targeted by cyberattacks. Digital transformation trends, such as the Internet of Medical Things (IoMT), have expanded the attack surface to new threats. In fact, new research from Forescout’s Vedere Labs reveals the riskiest IoMT devices include medical imaging systems and patient monitors. Fortunately, asset management and vulnerability management can help mitigate the risk of these devices.

In 2020, at the height of the pandemic, the FBI warned that the healthcare industry was at increased risk of ransomware attacks. Further, the nonprofit organization Identity Theft Resource Center found that ransomware doubled in 2020 and doubled again in 2021, making the healthcare industry one of the first verticals to become victimized by the increased frequency of these attacks. More recently, the FBI warned earlier this year that the healthcare industry is at increased risk of attack because of unpatched and legacy medical devices.

According to the FBI, “Medical device hardware often remains active for 10 to 30 years. However, underlying software life cycles are specified by the manufacturer, ranging from a couple of months to maximum life expectancy per device, allowing cyber threat actors time to discover and exploit vulnerabilities.”

One example of how these vulnerabilities could be exploited is NUCLEUS:13, a set of vulnerabilities in the TCP/IP stack that could enable remote code execution on medical devices. Another example is Access:7, a set of vulnerabilities in a third-party software agent. Security researchers have demonstrated how ransomware could target these vulnerable medical devices.

Furthermore, medical devices can be challenging to manage because propriety software makes patching them more difficult than IT devices—and, in some cases, a patch may never even be released.

Inside the Riskiest Medical Devices, Like Patient Monitors

Vedere Labs recently investigated the riskiest devices in enterprise networks, including IT, IoT and IoMT devices. Risk was computed by accounting for a multitude of factors, including: the configuration of the device (i.e., the number and severity of vulnerabilities), its function (i.e., the role it plays in the organization and the impact of its unavailability), and its behavior (i.e., reputational analytics of inbound and outbound connections).

Routers, servers, and computers are the riskiest IT devices since they are directly exposed to the Internet and have many vulnerabilities that, if left unpatched, could lead to their demise. Moreover, IP cameras, Voice over Internet Protocol (VoIP), and video conferencing are the riskiest IoT devices because they are left with default configurations—aka: default credentials and many weak protocols enabled.

Finally, the riskiest IoMT devices include imaging systems and patient monitors. Particularly vulnerable medical imaging systems include DICOM workstations, nuclear medicine systems, and imaging PACS. These devices epitomize the sort of legacy systems that prompted the FBI to issue their warning. Because they are connected to so many other devices on the network that perform medical services, they could be used for lateral movement or to disrupt operations if a threat actor targeted them.

Compounding the issue is the fact that network communication is frequently unencrypted. For instance, although DICOM, a common protocol to share patient files like x-rays, offers the ability to encrypt communication, it’s often misconfigured and communicated in clear text. Patient monitors are other types of risky IoMT devices that frequently use unencrypted communication.  

Managing a Broad Attack Surface

The healthcare attack surface now encompasses IT, OT, IoT, and IoMT environments. For example, R4IoT is a ransomware proof of concept that begins with an IoT device (an IP camera), moves to an IT device (a computer), and disables an OT device (a programmable logic controller). Since attacks may be multifaceted, it’s not effective to focus solely on IT security. Hence, a comprehensive approach is required to reduce the risk of such a broad attack surface.

Moreover, the FBI has recommended asset management and vulnerability management to mitigate the risk to medical devices. In short, asset management maintains an inventory of devices and vulnerability management works to mitigate vulnerable devices. Comprehensive visibility is required to do this effectively.

Finally, assessing device risk requires context to understand it, such as the device type, vendor, model, and firmware, as well as device communication. After assessment, mitigation includes patching vulnerabilities, disabling unused services, and isolating risky devices with network segmentation. Network monitoring solutions can help obtain this information and automate mitigation actions, as well as continuing to monitor for attacks. By understanding which devices are on their networks and how they operate, healthcare security leaders can customize their strategy to effectively reduce their risk.

Elisa Costante is vice president of research at Forescout. Questions and comments can be directed to [email protected].