Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
3/19/2018
09:35 AM
Simon Marshall
Simon Marshall
Simon Marshall

IoT Use Complicates Security Landscape in Healthcare

As billions of IoT devices are coming online, especially in healthcare, the security landscape is getting increasingly complicated, according to a report from Zingbox.

Securing the expanding universe of billions of Internet of Things devices is anything but straightforward. But in the healthcare sector, it presents unique threats to human safety and operational efficiency.

To date, there's been a dearth of data from hospitals and clinics about the effects of cybersecurity threats and attacks. Over the course of this year, hackers will escalate activity targeted at medical facility weaknesses, with the implication that patient deaths could result, according to Zingbox, a firm based in Mountain View, Calif., that develops IoT device security for the healthcare sector.

However, new information collected from 50 US facilities and tens of thousands of medical devices over 12 months offers those in healthcare a snapshot of where the vulnerabilities are, and how they could be minimized. This study is part of what Zingbox calls the first cybersecurity report for the sector.

The study has some surprising results.

"This [data] gives us a wide-scale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what's triggering the issues," Xu Zou, CEO and co-founder of Zingbox, told Security Now. "Many organizations don't have a clear picture of their networks, or even what devices are connected [across them]."

Bad practice
It turns out that user behavior is the biggest problem. About 40% of security issues noted in the report were created by medical staff using embedded browsers on workstations to access the Internet, conduct online chat or download content. A further 33% of risks on connected medical devices were accounted for by outdated operating systems or software, obsolete applications or unpatched firmware.

Facilities have clearly fallen down here, when policy enforcement and network restriction could cut the number of rogue applications and risky browser usage that inadvertently place patient lives at risk. Any threat that impairs operational wellbeing -- such as a ransomware or distributed denial of service (DDoS) attack -- also reduces the ability to care for patients effectively.

Devices that threaten safety
Any medical device connected to the network poses a threat. These include infusions pumps, imaging systems, patient monitors, ECG machines, nurse call and patient tracking systems. Interestingly, although infusion pumps are the most widely deployed medical device -- and are directly connected to patients -- they are the least susceptible to security threats.

"[We] point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don't represent the largest attack surface," said Zou. "Security issues relating to pumps were only at 2%, however, attention to protecting these devices should still be a priority since a successful attack on a single pump could result in disabling the bulk of all infusion pumps through lateral movement and infection."

Imaging systems ranked number one in the report as the source of 51% of all security issues. That's partly a product of the sheer variety of imaging systems in place. These range from X-ray, ultrasound and MRI machines, to digital imaging and communications workstations, and picture archiving and communications servers.

It's also a product of the number network applications that run on imaging systems. These devices average about seven network applications per device, more than any other, and three of the applications are specifically for communicating outside of the organization. Other devices are primarily designed for intra-organizational communication, and so they present a reduced threat.

Also, imaging systems are often built on commercial-off-the-shelf (COTS) OS, are expected to have a long lifespan, are expensive to replace and according to the report, often outlive support agreements with vendors.

Device segmentation
Almost nine out of ten hospitals surveyed have less than 20 VLANs to successfully segment and isolate medical devices against lateral movement from an attack. Zingbox views this as too few for almost any size of facility to be of practical cybersecurity benefit. For organizations without the visibility into their connected devices, all they have is a collection of IP addresses without any context.

Organizations looking to VLAN segmentation for protection also need to bear in mind that only about 25% of the devices on healthcare networks are medical. Almost 45% of devices are PCs, with multiple other devices comprising printers, scanners, IP phones, smartphones and surveillance cameras. This is itself is a big weakness since a PC can be attacked and then laterally moved to medical devices.

"Understanding how [attacks] enter our networks is critical to protecting patient data and safety," said Zou. "As we continue to gather more knowledge, we can better arm our staff and networks to prevent these dangerous events."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...