Increasingly complex populations of medical devices are creating new challenges for healthcare CISOs and their teams that are increasingly assuming responsibility for operational technology (OT) networks, according to an analysis of live healthcare systems that flagged a host of active security problems.
Drawing on data funnelled through the Forescout Device Cloud, the Forescout Healthcare Report explored the types and configurations of Internet of Medical Things (IoMT) devices connected to 75 different healthcare networks, comprising more than 1.5m connected devices – including 430,000 IoMT devices.
Increasingly diverse network environments were creating security issues, the report found, with 39 percent of connections relating to Internet of Things (IoT) devices.
Some 38 percent of connected devices related to patient identification and tracking systems, while 32 percent were infusion pumps, 12 percent patient monitors, 5 percent point-of-care testing, and 3 percent medication dispensing systems.
Breaches of these patient-engaged devices could potentially compromise patient safety as well as providing avenues for attackers to jump onto healthcare networks, where patient records and results may be accessible via compromises of core information systems.
A third of healthcare providers’ networks were running devices from more than 100 distinct vendors – each creating a novel vulnerability profile by having their own approach to security, monitoring, control, and remediation.
With attackers demonstrating a range of viable attacks on healthcare environments – Forescout singled out ransomware, denial of service, device impersonation, man-in-the-middle attacks, and fileless malware as key threats – the firm recommended that healthcare organisations implement a range of practices to bolster their environments and technologically isolate their IoMT populations.
Strategies including enabling agentless discovery of devices, identification and automatic classification of devices, continuous monitoring of devices, and enforcing network segmentation were all highlighted as best-practice approaches to bolstering healthcare security.
The impossible update
Increasing sophistication of medical devices is pushing what used to be considered operational technology (OT) into the purview of information technology (IT) specialists – creating new pressures on CISOs that struggle to both fix vulnerabilities and to implement consistent, integrated security management environments.
By 2021, Gartner has predicted, 70 percent of OT security will be managed by the CIO, CISO, or CSO department – up from 35 percent today.
Yet many other conventional cybersecurity strategies, such as patching systems or updating operating systems, fall down in legacy-rich healthcare environments – where funding is historically a problem and reliance on particular configurations of legacy systems may see them left in place much longer than recommended.
The problem is particularly serious for healthcare providers, since embedded operating systems often cannot be reliably upgraded.
Forescout’s analysis reflected the extent of the problem. Some 36 percent of networks were using from 11 to 20 different operating system variants, while 4 out of every 10 deployments were using more than 21 different operating systems– creating significant issues around vulnerabilities and inconsistencies between security policies.
Most worryingly, ForeScout noted, fully 71 percent of devices are running a version of Windows – including Windows 7, Windows 2008 and Windows Mobile – that will no longer be supported by Microsoft come 14 January 2020.
Unpatched vulnerabilities will create significant opportunities for cybercriminals to breach and compromise healthcare networks – as happened earlier this year when a ransomware strike compromised cardiologists’ administrative systems at Melbourne’s Cabrini Hospital Malvern, and in 2016 when a breach of outdated Windows XP machines paralysed the Royal Melbourne Hospital’s pathology operations.
The continuing vulnerability of healthcare environments has fed an overriding unease amongst those relying on healthcare providers to keep their private data secure. Many of those recently opting out of the government’s My Health Record (MHR) program cited security as the reason.
This was not without cause, since the latest Office of the Australian Information Commissioner report into the Notifiable Data Breach (NDB) scheme once again found that healthcare organisations were the most frequently-breached of all industries.