Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Health Prognosis on the Security of IoMT Devices? Not Good

As more so-called Internet of Medical Things devices go online, hospitals and medical facilities face significant challenges in securing them from attacks that could endanger patients' lives.

As COVID-19 continues to turn the world upside down, hospitals are facing unprecedented challenges: Do we have enough staff to treat the influx of patients? Are there enough beds and equipment for those patients? Will patients' lives be threatened by hackers holding the medical devices keeping them alive for ransom?

While that last concern is not unique to the COVID-19 crisis, it's certainly of heightened risk given that hospitals and emergency rooms have been overwhelmed with a massive influx of patients, resulting in even more patient-connected devices going online. While important, every piece of connected medical equipment, referred to as the Internet of Medical Things (IoMT), provides an easy on-ramp for hackers to bring a hospital to its knees.

"We are overdependent on undependable things," says Joshua Corman, former member of the HHS Cybersecurity Task Force under the Obama administration, and co-founder of I Am The Cavalry, a grassroots group focused on the intersection of computer security and public safety. "On the whole, these medical advances are improving lives, making care more available, and curing ailments that haven't been cured before. But I want the trust placed upon those innovations to be worthy of that trust. It's not right now."

The problems with IoMT are, essentially, threefold, with some deeper complications sprinkled throughout: One, the devices tend to run on outdated operating systems, like Windows 95, Windows XP, or Windows 7, and many were never intended to go online so they have no cybersecurity protection whatsoever. Two, hospital networks are often not segmented, allowing attackers to enter anywhere and move around. Three, vulnerable equipment is often not being replaced or patched, and not nearly enough is being recalled.

That combination could literally prove deadly for patients.

"An old, unpatched device that was inadvertently exposed to the Internet can make a great foothold into a network, where attackers can then move around and find more sensitive data," says Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk-protection solutions. "This could also lead to a ransomware attack that could incapacitate infrastructure that is critical for patient care and safety."

Ransomware and distributed denial-of-service (DDoS) are two of the more common attacks that affect IoMT. "The devices perform an important function, and people are much more likely to pay up or meet the demands of criminals who have carried out the attacks," Ragland says.

"When you talk about medical devices, the typical scenario frightening organizations is, what if there's a targeted attack? What if a nation-state specifically targets an IV pump and changes the dose of medication?" says Leon Lerman, CEO of IoMT security platform Cynerio. "That definitely could happen. But there's a lot more of a basic threat. Ransomware, phishing emails ... those attacks target the weakest and older OSes" typically running on these devices.

Indeed, hospitals are now the top targets in the world for ransomware because "they're vulnerable and they pay," Corman says. He adds that part of the problem stems from hospital insurance policies themselves, which have inadvertently covered ransom payments, usually in their kidnapping clauses. Corman says he is working with insurance companies to help change that going forward and to add in language that incentivizes providers to take necessary steps to address security flaws and respond to FDA recalls or pay higher premiums.

For now, while paying ransom might seem like the better choice than having medical systems incapacitated, this, of course, only incentivizes hackers to return to these reliable, lucrative gigs.

So why are hospitals overrun with outdated technology that they're not fixing and willingly forking over bitcoins to nefarious Internet criminals?

The answer to that is a mixed bag of technology that wasn't built with security in mind, connected devices that take so long to develop and get certified that their technology is obsolete by the time they hit the market, and finger-pointing between hospitals, device manufacturers, and the FDA.

"If you talk to a medical device maker or hospital operator, you will often hear, 'We are not allowed to patch these things. The FDA won't let us.' Or, 'OK, we're allowed to, but they'll make us recertify.' Both are false," Corman says. Rather, he says, as long as an update does not change the "intended use" of a device, it is not necessary to recertify. "In most cases, addressing a security flaw preserves 'intended use,'" he says.

It's a "willful lie on the part of some stakeholders in the system that you can't update medical devices," Corman says, adding that oftentimes device manufacturers won't do updates on old technology because they just want to move on to other things, and it's inadvisable or impossible for hospitals to patch security flaws without the manufacturer's involvement.

"Not only can you update, the FDA really wants you to update," he says.

For its part, the FDA has worked to clarify requirements around medical technology. In postmarket guidance completed in 2016, the FDA explained that while federal regulations require manufacturers or importers to report certain actions concerning device corrections and removals, "the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as 'cybersecurity routine updates and patches,' are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting. … For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency."

Furthermore, in a 2018 update on premarket guidance that was originally completed in 2014, the FDA drafted new guidelines for the manufacturing of and life-cycle planning for connected medical devices that instruct manufacturers to apply a risk-based approach to the design and development of devices that considers cybersecurity for the life cycle of the product.

This is good news for the future of IoMT. But Corman notes the earliest we're likely to see modernized devices hit the market is 2021, and it'll be longer before facilities actually do the upgrades. "Hospitals hold onto devices as long as they can," he says, and then those outdated, dangerous devices sometimes go on to their next lives, sold to hospitals in other countries.

In the meantime, medical facilities are overloaded with insecure connections on their networks that all have the potential to harm or end human life.

"It's not uncommon for a medical device to have over 1,000 known vulnerabilities," Corman says. "It only takes one to take out a whole hospital."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/26/2020 | 4:45:03 PM
Great Post
It's good , i i found this interesting . Great Work .

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.