Connected healthcare devices continue to pose a threat, says Andy Milne, Regional Vice President of Northern Europe at the cyber firm Forescout.
The rise of digital technology within healthcare is nothing new, but it has been significantly shaped, and accelerated, by the pandemic. In recent years, technological advances have ramped up right across the healthcare sector to plug the gaps created by the absence of physical interaction.
Pre-pandemic, there was plenty of evidence of cutting-edge tech within healthcare. For instance, in the form of lab robots, digital records, data sharing, apps, remote monitoring devices and so on. At the same time, increasingly-sophisticated AI and robotics-fuelled innovations are being introduced and continue to be developed. Examples include connected wound dressings, 3D-printed implants and joints, and wearable biosensors designed to monitor patient health.
This wave of continuous tech innovation means endless opportunities to work smarter, improve patient satisfaction and tackle backlogs, among many other things. But it also means the healthcare sector is more vulnerable to cybersecurity attacks than ever before. In 2021, 45 million people were affected by healthcare-related cyberattacks, up from 34 million in 2020. Last year, there were 46 data breaches in February alone, impacting 2.5 million people. The catalyst: the extensive range and scale of Internet of Medical Things (IoMT) that now exist within the sector.
While these connected devices are capable of achieving great things, they are also highly susceptible to being compromised by persistent cybercriminals. For example, Ireland’s equivalent of the NHS, the Health Service Executive (HSE) was struck by a cyberattack in 2021 through its national and local IT systems. The perpetrators used ransomware to prise open both its IT systems and once inside, locked access to patient data, damaged varying services and disabled medical equipment.
Alongside Internet of Medical Things (IoMT) devices, IT, Internet of Things (IoT) and Operational Technology (OT) devices are all at risk of being targeted once, twice or multiple times and in numerous ways. To highlight the true scale of the issue, the risk posture of more than 19 million devices across financial services, government, healthcare, manufacturing and retail were analysed to reveal the riskiest connected devices of 2022.
X-ray machines and patient monitors are among the riskiest IoMT devices
Connected medical devices have the potential to jeopardise both healthcare delivery and patient safety. Of the 45 million people who were impacted by healthcare-related cyber-attacks last year, a large proportion of them were affected by ransomware.
Ransomware attacks have the potential to trigger a domino-type effect, spreading to other parts of the network with other different medical devices and stopping them in their tracks. Besides the aforementioned HSE attack, other healthcare-related ransomware attacks include WannaCry in 2017, which saw an ambush on a hospital in Alabama affecting foetal monitors in 2019.
As a result of attacks like these, the NHS has introduced the Data Security and Protection Toolkit (DSPT) which outlines the best practice security controls NHS Trusts should have in place. Through this regulatory compliance mandate, all organisations that have access to NHS patient data and systems must complete the self-assessment to confirm they are practising sufficient data security.
In terms of the riskiest devices, research has revealed that DICOM workstations, nuclear medicine systems, imaging devices and PACS, which all relate to medical imaging, are ranked as the top five. Often, these devices run legacy-vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and use the DICOM standard for sharing these files. The protocol supports message encryption, which is configured by individual healthcare organisations. But if left unencrypted, it not only provides a pathway for attackers to spread malware to other devices on the network, but to get hold of, and tamper with, medical images.
It is no surprise that patient monitors are widely recognised as being among the most common medical devices within healthcare organisations. However, they are also among the most vulnerable. Like medical imaging devices, they often communicate with unencrypted protocols, which means their readings can be tampered with by attackers.
What can healthcare organisations do to protect themselves from cyberattacks?
The growing number and diversity of connected devices presents new challenges for healthcare organisations to understand and manage the risks they are exposed to. It is not enough to focus defences on risky devices in one category since attackers can leverage devices of different categories to carry out attacks.
Every connected device found in a healthcare environment, not just medical devices, are a potential entry point. IP cameras, intelligent heating, ventilation, and air conditioning (HVAC) systems, lighting, Voice over Internet Protocol (VOIP) platforms and any other system that’s connected, are all at risk.
The ease with which attackers can move laterally across networks, transitioning between devices, renders securing one device futile. Instead, healthcare organisations must implement a single Device Visibility solution that covers all connected assets, not just IoMT devices. Besides sealing potential risk gaps throughout the network, a singular solution has the potential to reduce costs and improve staff productivity. In addition, it can lay the foundation for Zero Trust network access and network segmentation strategies, thereby blocking an intruder’s path between devices.
Meanwhile, legacy devices that represent a big investment and have been in place for 10, 20 or more years are widely recognised as being a welcome sign for cyber attackers. While these devices may be tried-and-tested and work well from an operational perspective, it is becoming increasingly apparent that they have little to no cybersecurity infrastructure in place. In fact, some of these older devices have started to be recalled because their cyber security risk is so high.
Visualise the risks
For healthcare organisations, the first step in arming themselves against cyberattacks involves understanding the scale of the issue. Ideally, they should take inventory of all the different types of devices they have and assess the level of risk associated with each one.
Plan your defence
Once armed with full visibility of their potential device vulnerabilities and an understanding of the attack surface, organisations should then implement a dedicated cybersecurity strategy that’s tailored to their infrastructure and can prioritise based on the device level of risk. This should include automated controls that do not rely on security agents and that can be applied to the whole organisation, instead of silos like the IT network, the OT network or specific types of IoT or IoMT devices.
When it comes to future connected device investment, seeking products that are manufactured with the latest security features, including encryption and multi-factor authentication, is key. Once installed, these devices can then be cemented in place with cybersecurity strategies that can be reviewed and refined to help provide continuous protection. With cyber attackers using multiple routes to attack, healthcare organisations can, and should, ensure complete visibility to safeguard their connected devices, old and new.