Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Health Prognosis on the Security of IoMT Devices? Not Good

As more so-called Internet of Medical Things devices go online, hospitals and medical facilities face significant challenges in securing them from attacks that could endanger patients' lives.

As COVID-19 continues to turn the world upside down, hospitals are facing unprecedented challenges: Do we have enough staff to treat the influx of patients? Are there enough beds and equipment for those patients? Will patients' lives be threatened by hackers holding the medical devices keeping them alive for ransom?

While that last concern is not unique to the COVID-19 crisis, it's certainly of heightened risk given that hospitals and emergency rooms have been overwhelmed with a massive influx of patients, resulting in even more patient-connected devices going online. While important, every piece of connected medical equipment, referred to as the Internet of Medical Things (IoMT), provides an easy on-ramp for hackers to bring a hospital to its knees.

"We are overdependent on undependable things," says Joshua Corman, former member of the HHS Cybersecurity Task Force under the Obama administration, and co-founder of I Am The Cavalry, a grassroots group focused on the intersection of computer security and public safety. "On the whole, these medical advances are improving lives, making care more available, and curing ailments that haven't been cured before. But I want the trust placed upon those innovations to be worthy of that trust. It's not right now."

The problems with IoMT are, essentially, threefold, with some deeper complications sprinkled throughout: One, the devices tend to run on outdated operating systems, like Windows 95, Windows XP, or Windows 7, and many were never intended to go online so they have no cybersecurity protection whatsoever. Two, hospital networks are often not segmented, allowing attackers to enter anywhere and move around. Three, vulnerable equipment is often not being replaced or patched, and not nearly enough is being recalled.

That combination could literally prove deadly for patients.

"An old, unpatched device that was inadvertently exposed to the Internet can make a great foothold into a network, where attackers can then move around and find more sensitive data," says Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk-protection solutions. "This could also lead to a ransomware attack that could incapacitate infrastructure that is critical for patient care and safety."

Ransomware and distributed denial-of-service (DDoS) are two of the more common attacks that affect IoMT. "The devices perform an important function, and people are much more likely to pay up or meet the demands of criminals who have carried out the attacks," Ragland says.

"When you talk about medical devices, the typical scenario frightening organizations is, what if there's a targeted attack? What if a nation-state specifically targets an IV pump and changes the dose of medication?" says Leon Lerman, CEO of IoMT security platform Cynerio. "That definitely could happen. But there's a lot more of a basic threat. Ransomware, phishing emails ... those attacks target the weakest and older OSes" typically running on these devices.

Indeed, hospitals are now the top targets in the world for ransomware because "they're vulnerable and they pay," Corman says. He adds that part of the problem stems from hospital insurance policies themselves, which have inadvertently covered ransom payments, usually in their kidnapping clauses. Corman says he is working with insurance companies to help change that going forward and to add in language that incentivizes providers to take necessary steps to address security flaws and respond to FDA recalls or pay higher premiums.

For now, while paying ransom might seem like the better choice than having medical systems incapacitated, this, of course, only incentivizes hackers to return to these reliable, lucrative gigs.

So why are hospitals overrun with outdated technology that they're not fixing and willingly forking over bitcoins to nefarious Internet criminals?

The answer to that is a mixed bag of technology that wasn't built with security in mind, connected devices that take so long to develop and get certified that their technology is obsolete by the time they hit the market, and finger-pointing between hospitals, device manufacturers, and the FDA.

"If you talk to a medical device maker or hospital operator, you will often hear, 'We are not allowed to patch these things. The FDA won't let us.' Or, 'OK, we're allowed to, but they'll make us recertify.' Both are false," Corman says. Rather, he says, as long as an update does not change the "intended use" of a device, it is not necessary to recertify. "In most cases, addressing a security flaw preserves 'intended use,'" he says.

It's a "willful lie on the part of some stakeholders in the system that you can't update medical devices," Corman says, adding that oftentimes device manufacturers won't do updates on old technology because they just want to move on to other things, and it's inadvisable or impossible for hospitals to patch security flaws without the manufacturer's involvement.

"Not only can you update, the FDA really wants you to update," he says.

For its part, the FDA has worked to clarify requirements around medical technology. In postmarket guidance completed in 2016, the FDA explained that while federal regulations require manufacturers or importers to report certain actions concerning device corrections and removals, "the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as 'cybersecurity routine updates and patches,' are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting. … For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency."

Furthermore, in a 2018 update on premarket guidance that was originally completed in 2014, the FDA drafted new guidelines for the manufacturing of and life-cycle planning for connected medical devices that instruct manufacturers to apply a risk-based approach to the design and development of devices that considers cybersecurity for the life cycle of the product.

This is good news for the future of IoMT. But Corman notes the earliest we're likely to see modernized devices hit the market is 2021, and it'll be longer before facilities actually do the upgrades. "Hospitals hold onto devices as long as they can," he says, and then those outdated, dangerous devices sometimes go on to their next lives, sold to hospitals in other countries.

In the meantime, medical facilities are overloaded with insecure connections on their networks that all have the potential to harm or end human life.

"It's not uncommon for a medical device to have over 1,000 known vulnerabilities," Corman says. "It only takes one to take out a whole hospital."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/26/2020 | 4:45:03 PM
Great Post
It's good , i i found this interesting . Great Work .

Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
PUBLISHED: 2020-10-22
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
PUBLISHED: 2020-10-22
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escala...
PUBLISHED: 2020-10-22
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.