Story image

Connected medical devices pose serious security risks for healthcare firms

05 Mar 2018

Healthcare organisations around the world may be using medical devices that come with serious cybersecurity risks, according to research coming from some US hospitals and clinics.

That research suggests that network traffic passing through internet-connected medical devices lack real-time insights.

Combined with a lack of solutions to secure those devices and no clear industry reports as to how to mitigate those risks, the study from Zingbox says there are many hurdles ahead for healthcare providers.

The most common connected medical devices include infusion pumps (deployed in 46% of surveyed healthcare firms), imaging systems, patient monitors and point-of-care analysers.

Other common connected devices include ECG machines, patient tracking, nurse call systems and medical printers.

Imaging systems have the most number of network applications at an average of seven per device – at least three of these are used for communications outside an organization.

Most other devices also include applications that communicate with other devices and servers within an organization’s network.

Security risks vary from outdated software or operating systems to rogue applications, unpatched firmware, unprotected or weak passwords, obsolete applications, risky internet sites and user practice issues.

“Imaging systems have the most security issues. They account for 51% of all security issues across tens of thousands devices included in this study. Several characteristics of imaging systems attribute to it being the most risky device in an organization’s inventory.”

“The distributed nature of imaging systems with devices, servers and various nodes interconnected, also contributes to many security issues. As noted earlier, imaging systems also house the most number of network applications per device.”

Virtual LANs (VLANs) are common ways of identifying and locating devices on the network as part of a micro-segmentation strategy to limit lateral infection.

88% of hospitals in this case have fewer than 20 VLANs containing medical devices – Zingbox says this is far too few VLANs to support any micro-segmentation strategy.

Only 2% of organizations have more than 100% VLANs – a clue that there may be over-segmentation in some networks.

“Note the void between these two extremes. We expect more and more organizations to fill in this area as they implement tools and processes to gain additional visibility into the device context and use it for onboarding.”

VLANs may not even be used for protecting medical devices, the research states. PCs take up 43% of VLAN monitoring; followed by medical devices themselves (23%), printers, tracking systems, IP phones, network equipment, smartphones and tablets, and surveillance cameras.

“Such wide range of devices found in medical VLANs promote cross contamination and lateral movement of infections. The first course of action organizations should take is to remove PCs from their medical VLANs, followed by tablets, and then other non-medical IoT devices such as surveillance cameras and IP Phones.”

“The non-medical IoT devices should be moved to other non-medical VLANs. Of course, in order to implement these changes, organizations must first gain visibility into their VLANs and be able to accurately identify devices.”

The report recommends three strategies for managing connected medical devices:

Real-time visibility into device deployment and inventory – Most healthcare providers lack the visibility into the devices deployed in their network and the network topology themselves. The first step to formulating an effective strategy is to base it on an accurate inventory of devices and network configurations.

Control rogue application and communications – Inappropriate or unauthorized use of applications account for a large portion of security issues identified across connected medical devices. Applying contextual enforcement policies based on the individual device types can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.

Develop strategies for top vulnerabilities and risks – No two healthcare organizations are alike. Hence, every organization should assess their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans starting with their biggest exposure.

Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.