informa
/
Endpoint
Commentary

Social Distancing for Healthcare's IoT Devices

Security pros need to double down around prevention of lateral movement by attackers, especially if IoT devices are connected to the network.

Even before the world began shutting down and sheltering in place, attackers had set their sights on medical records and other valuables they could leverage for cash. As early as 2018, top security researchers had identified the vulnerabilities the healthcare industry faces because attackers crave the private data kept at medical facilities.

Now, take that already worn-out security team and provide them with the current crisis, and what we have is a recipe for disaster. Just like everything else in a fight, survival is going to be a team effort. Luckily, the threat intel teams have really brought their A-game. 

Using the Mitre Att&ck framework, we can track the common techniques used by adversaries. From this information, we can get an idea of what weaknesses have already been exploited in these networks that attackers will likely hit. In the end, lateral movement is the tactic that needs to be shut down. With so much business volume going on it will be almost impossible to stop initial access, so any further footholds need to be closed off. Unfortunately, one of the most successful targets for lateral movement are Internet of Things devices that have revolutionized our medical world.

Attackers choose their targets after careful research and commonly use phishing or social engineering to gain initial access. Once they are on the network the next stage of an attack is finding the IoT devices that will grant them unrestricted lateral movement throughout the environment. 

Another issue that complicates this further: Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.  

The first thing we need to do is to take a play from the fight against COVID-19 and start practicing proper device distancing. We know IoT devices are going to be vulnerable, so why have them on the same nets? Create choke points where traffic and endpoints are heavily monitored where the two sectors meet. At least analysts know where to look, and early triage teams know the probabilities of true positives are going to be high.

Many times, IoT devices use protocols that are not encrypted. This is a serious problem that should be rectified immediately, because anyone tapping those communications will learn everything they need to own that environment. Think of encryption like wearing your mask when going grocery shopping. Now let's make sure our devices are wearing their masks too. 

The final step that unfortunately only now many people finally started adopting is proper sanitization. IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software. That would be similar to trying to wash your hands without indoor plumbing. 

Another flaw in the response to COVID-19 is a lack of visibility due to no testing in the community at large. Medical devices do not provide proper logging techniques that would allow SOCs to recognize when attacks happen. Due to FDA requirements, the devices are sad black boxes that must not be altered. Other methods to indirectly monitor network activity and traffic analysis need to be implemented. Just like with COVID-19, you need testing to know if the patient is infected. 

These are serious problems, and unfortunately, a lot of them will not be fixed unless we show the willpower the world has only seen with successful social distancing. But what is the point of beating COVID-19 if our hospitals allow our cyber diseases to erase any of those gains?            

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5