Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

3/19/2018
09:35 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

IoT Use Complicates Security Landscape in Healthcare

As billions of IoT devices are coming online, especially in healthcare, the security landscape is getting increasingly complicated, according to a report from Zingbox.

Securing the expanding universe of billions of Internet of Things devices is anything but straightforward. But in the healthcare sector, it presents unique threats to human safety and operational efficiency.

To date, there's been a dearth of data from hospitals and clinics about the effects of cybersecurity threats and attacks. Over the course of this year, hackers will escalate activity targeted at medical facility weaknesses, with the implication that patient deaths could result, according to Zingbox, a firm based in Mountain View, Calif., that develops IoT device security for the healthcare sector.

However, new information collected from 50 US facilities and tens of thousands of medical devices over 12 months offers those in healthcare a snapshot of where the vulnerabilities are, and how they could be minimized. This study is part of what Zingbox calls the first cybersecurity report for the sector.

The study has some surprising results.

"This [data] gives us a wide-scale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what's triggering the issues," Xu Zou, CEO and co-founder of Zingbox, told Security Now. "Many organizations don't have a clear picture of their networks, or even what devices are connected [across them]."

Bad practice
It turns out that user behavior is the biggest problem. About 40% of security issues noted in the report were created by medical staff using embedded browsers on workstations to access the Internet, conduct online chat or download content. A further 33% of risks on connected medical devices were accounted for by outdated operating systems or software, obsolete applications or unpatched firmware.

Facilities have clearly fallen down here, when policy enforcement and network restriction could cut the number of rogue applications and risky browser usage that inadvertently place patient lives at risk. Any threat that impairs operational wellbeing -- such as a ransomware or distributed denial of service (DDoS) attack -- also reduces the ability to care for patients effectively.

Devices that threaten safety
Any medical device connected to the network poses a threat. These include infusions pumps, imaging systems, patient monitors, ECG machines, nurse call and patient tracking systems. Interestingly, although infusion pumps are the most widely deployed medical device -- and are directly connected to patients -- they are the least susceptible to security threats.

"[We] point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don't represent the largest attack surface," said Zou. "Security issues relating to pumps were only at 2%, however, attention to protecting these devices should still be a priority since a successful attack on a single pump could result in disabling the bulk of all infusion pumps through lateral movement and infection."

Imaging systems ranked number one in the report as the source of 51% of all security issues. That's partly a product of the sheer variety of imaging systems in place. These range from X-ray, ultrasound and MRI machines, to digital imaging and communications workstations, and picture archiving and communications servers.

It's also a product of the number network applications that run on imaging systems. These devices average about seven network applications per device, more than any other, and three of the applications are specifically for communicating outside of the organization. Other devices are primarily designed for intra-organizational communication, and so they present a reduced threat.

Also, imaging systems are often built on commercial-off-the-shelf (COTS) OS, are expected to have a long lifespan, are expensive to replace and according to the report, often outlive support agreements with vendors.

Device segmentation
Almost nine out of ten hospitals surveyed have less than 20 VLANs to successfully segment and isolate medical devices against lateral movement from an attack. Zingbox views this as too few for almost any size of facility to be of practical cybersecurity benefit. For organizations without the visibility into their connected devices, all they have is a collection of IP addresses without any context.

Organizations looking to VLAN segmentation for protection also need to bear in mind that only about 25% of the devices on healthcare networks are medical. Almost 45% of devices are PCs, with multiple other devices comprising printers, scanners, IP phones, smartphones and surveillance cameras. This is itself is a big weakness since a PC can be attacked and then laterally moved to medical devices.

"Understanding how [attacks] enter our networks is critical to protecting patient data and safety," said Zou. "As we continue to gather more knowledge, we can better arm our staff and networks to prevent these dangerous events."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...