Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

End of Bibblio RCM includes -->
3/19/2018
09:35 AM
Simon Marshall
Simon Marshall
Simon Marshall

IoT Use Complicates Security Landscape in Healthcare

As billions of IoT devices are coming online, especially in healthcare, the security landscape is getting increasingly complicated, according to a report from Zingbox.

Securing the expanding universe of billions of Internet of Things devices is anything but straightforward. But in the healthcare sector, it presents unique threats to human safety and operational efficiency.

To date, there's been a dearth of data from hospitals and clinics about the effects of cybersecurity threats and attacks. Over the course of this year, hackers will escalate activity targeted at medical facility weaknesses, with the implication that patient deaths could result, according to Zingbox, a firm based in Mountain View, Calif., that develops IoT device security for the healthcare sector.

However, new information collected from 50 US facilities and tens of thousands of medical devices over 12 months offers those in healthcare a snapshot of where the vulnerabilities are, and how they could be minimized. This study is part of what Zingbox calls the first cybersecurity report for the sector.

The study has some surprising results.

"This [data] gives us a wide-scale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what's triggering the issues," Xu Zou, CEO and co-founder of Zingbox, told Security Now. "Many organizations don't have a clear picture of their networks, or even what devices are connected [across them]."

Bad practice
It turns out that user behavior is the biggest problem. About 40% of security issues noted in the report were created by medical staff using embedded browsers on workstations to access the Internet, conduct online chat or download content. A further 33% of risks on connected medical devices were accounted for by outdated operating systems or software, obsolete applications or unpatched firmware.

Facilities have clearly fallen down here, when policy enforcement and network restriction could cut the number of rogue applications and risky browser usage that inadvertently place patient lives at risk. Any threat that impairs operational wellbeing -- such as a ransomware or distributed denial of service (DDoS) attack -- also reduces the ability to care for patients effectively.

Devices that threaten safety
Any medical device connected to the network poses a threat. These include infusions pumps, imaging systems, patient monitors, ECG machines, nurse call and patient tracking systems. Interestingly, although infusion pumps are the most widely deployed medical device -- and are directly connected to patients -- they are the least susceptible to security threats.

"[We] point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don't represent the largest attack surface," said Zou. "Security issues relating to pumps were only at 2%, however, attention to protecting these devices should still be a priority since a successful attack on a single pump could result in disabling the bulk of all infusion pumps through lateral movement and infection."

Imaging systems ranked number one in the report as the source of 51% of all security issues. That's partly a product of the sheer variety of imaging systems in place. These range from X-ray, ultrasound and MRI machines, to digital imaging and communications workstations, and picture archiving and communications servers.

It's also a product of the number network applications that run on imaging systems. These devices average about seven network applications per device, more than any other, and three of the applications are specifically for communicating outside of the organization. Other devices are primarily designed for intra-organizational communication, and so they present a reduced threat.

Also, imaging systems are often built on commercial-off-the-shelf (COTS) OS, are expected to have a long lifespan, are expensive to replace and according to the report, often outlive support agreements with vendors.

Device segmentation
Almost nine out of ten hospitals surveyed have less than 20 VLANs to successfully segment and isolate medical devices against lateral movement from an attack. Zingbox views this as too few for almost any size of facility to be of practical cybersecurity benefit. For organizations without the visibility into their connected devices, all they have is a collection of IP addresses without any context.

Organizations looking to VLAN segmentation for protection also need to bear in mind that only about 25% of the devices on healthcare networks are medical. Almost 45% of devices are PCs, with multiple other devices comprising printers, scanners, IP phones, smartphones and surveillance cameras. This is itself is a big weakness since a PC can be attacked and then laterally moved to medical devices.

"Understanding how [attacks] enter our networks is critical to protecting patient data and safety," said Zou. "As we continue to gather more knowledge, we can better arm our staff and networks to prevent these dangerous events."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1678
PUBLISHED: 2022-05-25
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
CVE-2021-32966
PUBLISHED: 2022-05-25
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP s...
CVE-2021-32989
PUBLISHED: 2022-05-25
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.
CVE-2021-32997
PUBLISHED: 2022-05-25
The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 ver...
CVE-2021-35487
PUBLISHED: 2022-05-25
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, dat...