Outdated IoT health devices pose significant security threats

Outdated IoT health devices pose significant security threats

More than half (53%) of the internet of things (Internet of Things) and medical Internet of Things (IoMT) used in healthcare contain critical cybersecurity risks, according to Cynerio’s The State of IoMT Device Security report, which analyzed devices from more than 300 hospitals In the USA.

Cynerio manufactures IoT and security systems for healthcare providers. For the report, more than 10 million IoT and IoMT devices were scanned. Cynerio used a connector that, when connected to a SPAN (Switched Port Analyzer) port on the core switch of a network, collects device traffic information for each device connected to the network. This information was then analyzed by an internal AI algorithm to help identify vulnerabilities and threats.

The report found that IV (intravenous) pumps account for 38% of a hospital’s typical healthcare IoT footprint, and 73% of these pumps have at least one vulnerability that could jeopardize patient safety, confidentiality of data or service availability if identified by a bad actor.

“Healthcare systems have multiple attack surfaces, from the infrastructure itself within a hospital to the increased (if not total) digitization of medical records,” says Liz Miller, an analyst at Constellation Research. “The global pandemic sweetened the pot for attackers and it quickly became open season across networks, systems, and devices.”

The report found that 79% of IoT devices are used at least once a month, while 21% can sit idle for four weeks.

Unpatched Devices Open Big Risk

“Once a medical device is used for a patient, it could be in use for days or weeks,” says Daniel Brodie, CTO of Cynerio. “Many devices have 24/7 operational requirements, and an outage, even for patching, could have serious consequences for medical workflows, patient safety and hospital operations. ”.

Another contributing factor to devices missing timely updates is that a typical hospital network may host a mix of devices from different vendors, and simplifying the patching and updating process becomes too complex to accomplish within the respective time windows. of inactivity, according to Brodie.

Nearly half (48%) of the IoT devices analyzed in the research used Linux as their operating system, which the report says is of growing concern as Linux is an open source platform that has become very popular with the community. of criminals. as it powers nearly 70% of web servers worldwide.

“We are seeing increased targeting of Linux devices by ransomware groups in IoT environments,” adds Brodie. “Criminals understand and target their attacks, almost in a personalized way, to the unique configuration of a hospital. It takes longer than a ‘spray and pray’ type of attack, but the potential reward is much greater.”

Another key finding of the report is that while only a marginal number of IoT devices in a healthcare setting run on Windows, the critical care sector as a whole is dominated by devices running older versions of Windows, typically older than Windows. 10. These include devices used by hospital departments generally responsible for direct patient care such as pharmacology, oncology, and laboratories.

Ransomware leads IoT attacks

Of the many cyberattacks targeting the healthcare space, ransomware has emerged as the most problematic in recent times. The Cynerio report noted that in 2021, ransomware attacks on hospitals increased 123% year-over-year, costing a total of $21 billion across more than 500 attacks. The average cost per ransomware attack has been found to be $8 million and it is estimated that each attack takes an organization around 287 days to fully recover.

Ransomware attacks have become more frequent in the last two years, according to Allie Mellen, an analyst at Forrester. Due to the nature of healthcare equipment, there can be many challenges in upgrading legacy systems, given the wide range of devices.

Malware or DDoS (distributed denial of service) attacks are the most frequent and tend to turn into ransomware lawsuits. In a typical attack, the devices that fail are those that track patients’ vital signs along with systems that compile each patient’s medical history and documentation, according to Brodie. This is quickly followed by the shutdown of communication systems, including email and VOIP phones, making it difficult to transmit critical information. Other systems that lose functionality during these attacks include radiology, imaging, PACS (picture archiving and communication system) machines and scanners, insulin and IV pumps, printers, and other network equipment.

Network segmentation could eliminate key vulnerabilities

The report concluded that while URGENT/11 and Ripple20 have made the most recent headlines as the key vulnerabilities within healthcare IoT devices, they represent only around 10% of the actual threat. URGENT/11 and Ripple20 refer to the group of vulnerabilities that allow attackers to bypass firewalls and take control of devices remotely through the TCP/IP stack without user interaction.

The top vulnerabilities, according to the report, are Cisco IP Phone Common Vulnerabilities and Exposures (CVEs), comprising 31% of detected vulnerabilities; weak HTTP credentials, with 21% of vulnerabilities detected; and open HTTP port, with 20%.

The report recommends network segmentation and quarantine as the most effective technique for remediating vulnerabilities, as patching is a difficult solution for IoT devices that come from different vendors. It also emphasizes that a proper balance of network connections, with a combination of east-west (device-to-device) and north-south (server-to-device) segmentation form, is vital to ensure security without disrupting connectivity.

“Context is important, specifically in a healthcare environment, you can’t have segmentation that interferes with clinical workflows or interrupts patient care, so you definitely have to strike a balance between connection and separation” Brody says. He explains that, for example, IV pumps could connect only to servers in data centers and not to other servers or devices (in a north-south segmentation maneuver) that are more easily accessible.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment