Medtech And Health Facilities: A Cybersecurity House Of Mirrors
While the average cost of a data breach exceeded $9 million in 2021, the cost of a massive cyberattack on healthcare remains uncertain and unpredictable. Amid the specter of international cyber conflicts and threats, the US government is beginning to shed new light on a growing problem.
Despite the proliferation of ransomware, many industry stakeholders remain unaware of the cyber risks associated with operational medical technologies, the Internet of Medical Things (IOMT), and digital components of facility operation and management.
From business records to patient data and diagnoses, plans, treatments, prescriptions, billing, benefits and more, healthcare has gone digital. One topic covers the cyber threat landscape for medical technology, devices, hospitals and healthcare facilities; Confusion
Often presented without a coherent security policy, efforts to combine many related edges into a single product compromise technology that is easy to implement but difficult to protect. Like a room of mirrors, the responsibility for understanding and mitigating cyber risk in healthcare is hard to define and often depends on who you ask, especially when it comes to non-corporate systems and devices.
IoT is a two-way mirror that provides a window for navigating medical networks and operations. Hard-coded passwords and credentials are under attack, vendor user interfaces are hacked, change control mechanisms are bypassed, and widespread vulnerabilities continue to affect thousands of devices around the world.
Medical operating room technology, IoMT technologies, and facility systems cover a wide range of machines and configurations, including patient monitoring and diagnostic devices such as anesthesia machines and bedside monitors, medical imaging equipment, insulin pumps, pumping fluids, ventilators, and a growing list. Sensors, cameras, wearables, and analytics devices that enable or report on the status of equipment, processes, and operations.
Cybersecurity challenges in healthcare are multifaceted, including vulnerable technologies designed with security in mind, Internet-connected devices used directly for patient care, and smart building technologies and automation.
As stated by the FDA, “Failure to provide cybersecurity throughout the lifecycle of a medical device can result in performance degradation, loss of medical or personal data, inadequate data integrity, or the spread of security threats to other connected devices or networks. Harm to the patient. such as illness, injury, or death due to a delay in treatment or otherwise affecting the availability and effectiveness of a medical device.”
Traditional medical technologies
Outdated medical technologies are widespread, expensive to replace, and vulnerable to exploitation due to known cyberattack techniques and a growing list of publicly available common vulnerabilities and vulnerabilities (CVEs). Many use legacy software such as Windows XP and Windows 7 and have limited mechanisms for applying critical deployments and updates to unmanaged large scale deployments. Resources and workforce are constantly limiting the ability to trace, protect and improve all components of the obsolete medical technologies used today.
At a high level, manufacturers are responsible for product security, lifecycle maintenance, vulnerability detection, and making and distributing patches and updates available for the secure devices and technologies they develop.
End users are also responsible for implementing solutions to track and fix discovered vulnerabilities, enable security features, secure data in transit and at rest, and monitor technologies and networks running in their organization. At the same time, most teams and venues are not ready to return to physical activity for a long time.
Internet of Medical Devices (IoMT)
According to the Food and Drug Administration, the US regulates about 200,000 medical devices manufactured by more than 18,000 companies worldwide. Connected smart medical devices include a user interface (for patients and healthcare professionals) and machine-to-machine communication via network connections.
These devices, which can often connect to the Internet, are at risk from unauthorized access, compromised login interfaces to bypass password authentication, distributed denial of service (DDoS) attacks, and limited protection of sensitive patient information.
The main attack surface for IoT devices is the default SSH certificate. Once the system is compromised, the attacker, usually another infected IoT device, will attempt to enter an average of forty passwords for multiple usernames. Other common attack surfaces for these devices include UPnP, HTTPS, as well as native Java packages and various code modifications.
These systems and variants remain unpatched long after a patch is released, as most IoT devices are self-contained and not designed to be automatically updated without receiving a custom patch-based claim. Finally a risk. - user license agreement;
Smart and connected objects
Healthcare and medical operations and facilities continue to digitize non-IT management system components: fire alarms and extinguishing, lighting and power systems, metering systems, vehicle charging stations, access control keys. When control is centralized, companies often implement building automation solutions (BAS) to connect and automate control of these various functions. BAS security vulnerabilities can be used to gain access to credentials, networks and VPNs, and sensitive data.
During a recent interaction with smart buildings, we found 361 insecure protocols in use, 259 device vulnerabilities, and 37 compromised (encrypted) passwords.
By gaining control of one or more devices, attackers can coordinate larger attacks based on ubiquitous connectivity levels.
Cybersecurity of operations and facilities is perhaps most important in a hospital environment where important populations are concentrated and the secure movement of assets, equipment and personnel is required. Remote and decentralized operations can make it difficult to find and maintain cybersecurity resources.
Large companies and providers find it difficult to manage large campuses, some of which are the size of small towns, serving millions of patients annually and employing tens of thousands of people. Bypassing building management systems, utilities, and security systems can seriously impact patient care, as well as the safety of patients and healthcare workers. Given the priorities of the national chief cyber officer of the United States, the first to implement comprehensive security practices should chart a course.
way to follow
If legacy medical devices and IoMT technologies are not targeted by cyber incidents, cascading effects can render them useless, leading to treatment delays and potential harm to both patients and providers. When corporate IT systems go down, they are often isolated from the rest of the network. If the operating system fails, it may result in property damage and personal injury.
This practice often leads to a dilemma between risk management systems and incident reporting. Security incidents at the center continue. This scenario raises questions. Do IT and hardware departments know what else is involved with communications networks and the potential use cases for these legacy systems, IOMT devices, networks and management systems?
Overwhelmed by technology and manual operations, hospitals and healthcare providers are mitigating cybersecurity risks by meeting rapidly changing regulatory requirements and working to analyze connectivity, traffic and network behavior anomalies.
Clarity about the scale of the potential risk is important. A cybersecurity solution for operational technology and the Internet of Things can:
- Store and visualize a landscape of tens or thousands of connected systems and terminals
- Monitor and monitor network traffic in real time, including non-IT systems
- Fundamental and ongoing understanding of the cybersecurity status of an organization.
- Provide useful information to solve the most pressing problems.
- Restrict third-party access and alerts about changes in behavior or network variables
- Strengthen your organization's security policies without gaps or shadow connections
Photo: Tritov, Getty Images
