By: Carolyn Crandall, Chief Deception Officer
Smart medical devices have incredible potential to save lives and improve our general well-being, but they also present a host of untold threats that have yet to be fully exploited. You’ve probably heard the infamous story by now. Several years ago, it was revealed that Dick Cheney’s defibrillator was modified to prevent hacking. While Cheney’s medical team was quick to address this particular issue, the larger healthcare community has been slower to react to persistent threats and medical device security remains a growing concern even 11 years later. Almost 36 (35.6) percent of organizations’ IoT-connected medical device ecosystems experienced a cybersecurity incident in the past year, a recent Deloitte survey revealed. That’s more than one third of organizations experiencing some type of threat to the smart medical devices they are in charge of protecting.
It’s not just state-of-the-art healthcare organizations and facilities using smart medical devices. A Thales survey of 235 senior healthcare security managers across the globe, revealed that 96 percent are using IoT-enabled technologies. With U.S. hospitals deploying an average of 10-15 connected devices per bed (Zingbox), this dramatically opens up a hospital’s network to cybercriminals, whether it be individuals, political groups, criminal organizations, terrorist or nation-state attackers.
What cybercriminals are looking for
So, why are cybercriminals interested in hacking things like internet-connected heart rate monitors, implantable defibrillators and insulin pumps? Generally, it’s not to cause physical harm to a patient or end their life. Rather, it is to exploit an opportunity that medical devices expose to hackers seeking a bigger target, as they act as easily accessible entry points to larger hospital networks and the treasure troves of PHI data that they hold.
With stolen medical records, hackers can:
- Easily set up a costly ransomware attack
- Carry out tax fraud and identity theft
- Track prescriptions, intercept delivery and sell them on the dark web
- Sell prized PHI records that command $50 versus $3 for a social security number and a measly $1.50 for a credit card number
Why hospitals are struggling with IoT security
Simply put, hospitals have a hard time identifying all the vulnerable infrastructure and devices they must secure. Think about the volume and range of devices across an entire hospital or treatment facility: there are EHR portals, printers, nurse’s stations and active, IoT-enabled medical devices. The size and scale of all the different components of a healthcare organization’s network leaves many CIOs and IT departments scratching their heads over how to monitor and secure it, all while not diminishing patient care.
Along with the growing number of devices that healthcare organizations keep track of, many providers operate in flat and open networks versus microsegmented infrastructure, which better protects devices. By microsegmenting with VLANs, IT practitioners can more easily identify and locate devices on the network and delay or limit lateral infection.
According to Zingbox, 88 percent of hospital have fewer than 20 VLANs containing medical devices. This drastically increases the access and risk associated with these devices.
Additionally, medical devices have longer lifespans than typical hardware, and limited downtimes and mobility can limit the type of patching necessary to improve security defenses.
Recent government oversight has begun to address the issue of medical device security. In 2013, the Food and Drug Administration (FDA) began seriously evaluating device security and continues to use the National Institute of Standards and Technology (NIST)’s 2014 Framework for improving overall critical infrastructure cybersecurity. While not enforceable, the NIST’s framework is widely used and the FDA is now known to have delayed and blocked medical devices from coming to market if they do not meet their minimum standards.
Medical device security isn’t just important, it’s critical. As a result, healthcare organizations and device manufacturers are looking for new solutions to increase protection of both networks and individual devices. Deception technology is gaining prevalence among healthcare providers for its early detection and response capabilities as well as its ability to provide visibility into an attacker’s tactics, techniques and procedures. Additionally, many healthcare organizations that do not have dedicated security teams choose deception for its ease of use, accuracy and actionable alerts, which keep operational overhead low while providing the security necessary to better protect their medical devices infrastructure.
Learn more about how Attivo is working with healthcare organizations like BD (Becton, Dickinson and Company) to deliver greater visibility and improve detection capabilities against potential cyber threats that can impact medical devices here.