While medical equipment has long presented thorny security problems, Internet of Things devices in hospitals bring entirely new, and often daunting, cyberthreats.
Take Mirai malware as just the latest example. In late 2017, cybersecurity experts discovered a new variant of Mirai, which transforms Linux networked devices into remote-controlled bots that can be used as part of a botnet in major network attacks. This new variant was designed specially to attack Internet of Things devices.
“The attack is a distributed denial of service attack, meaning the malware now can commandeer previously immune devices and use them to target large amounts of traffic at other devices, causing them to fail due to resource exhaustion,” explained Mike Ahmadi, global director of IoT security at DigiCert, a cybersecurity company that specializes in digital certificates, SSL, encryption and the IoT. “What is particularly onerous is that there are an exponentially larger number of devices – potentially billions – now susceptible to the malware, dramatically increasing the number of potential attacks.”
It’s not just Mirai, of course. Clever malware creators figured out how to build code to attack the architecture. Malware creators are quite creative, and modifying code is often easier than starting from scratch.
Health IT and security executives and infosec teams need to be prepared to combat these creative criminals.
“Essentially, if healthcare CISOs do not block unauthenticated traffic or are incapable of recognizing DDOS attacks and mitigating against them, the affected systems could stop functioning as expected,” Ahmadi said. “It is important to understand that the development community for malware is just as active and often more driven to create improved versions as the conventional software industry is.”
Devices like insulin pumps were not built with traditional security monitoring.
Fresh meat for cyberattackers
Internet of Things devices in healthcare represent new and expanding opportunities for cyberattackers.
“Cyberattackers target healthcare networks for two primary reasons – to steal the medical records they contain or to extort ransom payments,” said Michael Simon, president and CEO of cybersecurity firm Cryptonite. “Medical records are the targets of choice, as this data is highly prized to support identity theft and financial fraud. While 2017 was the year of ransomware, we are anticipating this already hard-hit sector will feel in 2018 the wrath of cybercriminals targeting the hundreds of thousands of IoT devices already deployed in healthcare.”
“These devices are designed for convenience, not with security as core to their operating model.”
Anahi Santiago, Christiana Care Health System
Internet of Things devices now are ubiquitous in healthcare – they are already present in intensive care facilities, operating rooms and patient care networks, Simon added.
So it is incumbent upon healthcare security teams to tackle the challenges that come with operating and securing IoT devices. And when it comes to challenges, there are many.
The lack of inherent security controls in these devices is one of the biggest hurdles to overcome, said Anahi Santiago, chief information security officer at Christiana Care Health System in Wilmington, Delaware, which operates well over 10,000 IoT devices.
“These devices are designed for convenience, not with security as core to their operating model,” Santiago said. “Often these devices do not require passwords or encryption, and are not updated based on identified vulnerabilities.”
These devices also don’t necessarily generate alerts or provide monitoring capabilities so that healthcare organizations have visibility into how they are performing and behaving. Most of the traditional controls that information security professionals use to control and protect the environment do not exist in IoT devices.
The IoT device may not be the target of an attack, but can be used as a point for gaining access to the network.
Another IoT security challenge identified by Santiago is the implementation of compensating controls in order to protect a network from a potential breach or malfunction.
“Because of the lack of inherent controls, organizations have to find alternative ways to reduce the potential risk that these devices pose to the network,” she said.
And then there is the need for IoT devices to connect to other areas of a network. Network segmentation can be complex and configuring these devices in a fashion that defaults to denial is resource-intensive, especially for an organization of size.
“The volume and demand for IoT devices has the potential to exceed the resources and capacity to implement them in a secure fashion,” Santiago added. “Organizations are needing to find ways to supplement existing resources in order to meet business needs.”
Medical device network structures are different from healthcare organization to healthcare organization, and this is another challenge to IoT security, said Ryan Spanier, director of research at Kudelski Security.
“Many hospitals isolate these healthcare devices on their own network segment, while others rely on their primary network,” he said. “In ideal cases, organizations will isolate each device type on their own segment. This approach will mitigate many concerns related to lateral movement within the network once a device is compromised.”
But the biggest challenge today in IoT security is that most organizations, regardless of industry, are in the “We don’t know what we don’t know” phase of addressing the risks associated with the IoT, said Chuck Kesler, chief information security officer at Duke Health in Durham, North Carolina.
“These devices often are procured and connected to the network without oversight by IT or the security team, and they may contain vulnerabilities straight out of the box,” he said. “This could be as simple as the device having a well-known default password that needs to be changed, but if that’s not done, an attacker will quickly find that device and use it to their advantage.”
Webcams and teleconferencing systems are vulnerable if not secured. Credit: GlobalMed YouTube
Processes and policies
To address all these IoT security challenges head-on, healthcare CIOs and CISOs need to ensure they have the best policies, processes and technologies in place. Healthcare executives can start with policies and processes, creating an environment that helps build a secure wall around the myriad IoT devices in orbit around their organization.
First and foremost, it’s necessary to have robust processes and policies for building and maintaining an inventory of all systems connected to the network. This inventory should contain sufficient information, such as vendor names, model numbers, serial numbers, version numbers, physical location and support contacts, that would allow the organization to quickly identify and address risks associated with IoT devices.
“This also is critical for being able to respond to vulnerabilities that are being actively exploited as part of an attack, including ransomware attacks,” Kesler said. “In some cases, the IoT device itself may not be the target of the attack, but can be used as a pivot point for extending the attacker’s access across the environment. Without having this information at hand, the security and IT teams will be unable to proactively address new risks as they become known, and in the worst case of an attack, they may not be able to contain the malicious activity fast enough.”
This also points to another policy that should be in place, which is pre-authorizing the security team to take action to remove vulnerable devices from the network either during a cyberattack or if it is thought that such an attack is imminent.
On another policies and processes note, organizations must ensure they are aware of all assets that can impact the security of the healthcare IoT network – that includes assets the healthcare organization has deployed and those in use in and around the network.
“To make this job easier, many organizations limit access to the IoT network,” said Spanier of Kudelski Security. “In a simple approach, you may just have a separate network segment for IoT devices. A more advanced and effective approach would also encrypt the network, protecting the data and ensuring only authorized devices can communicate.”
Next, a healthcare organization needs an asset management plan that includes how it will deploy patches, Spanier said.
“Medical devices are expensive, so having fully redundant systems that can be upgraded while others are deployed is unrealistic, but patches also cannot be neglected for deployed devices,” he explained. “A business continuity plan to prepare for device failure is critical. No device is 100 percent secure, even if it’s fully patched.”
At some point a device, or the entire IoT network, may be unavailable due to an attack. Healthcare CIOs and CISOs must prepare for this scenario and how they would recover as quickly as possible.
Santiago of Christiana Care believes that to a large extent, the processes and policies used to assess and secure IoT devices are no different than those for traditional technologies, and that security should always start with risk management.
“A business unit wishes to buy a piece of technology,” she said. “An assessment is performed to determine the potential risks that the technology can pose to the organization. A determination is done as to whether there are compensating controls that can be implemented to minimize any identified risks. A subsequent determination is made as to whether any residual risks are acceptable.”
If so, a green light is given. The information security team then works with other teams in the organization to ensure implementation includes compensating controls that were originally identified. Examples are network segmentation and denial of unnecessary protocols.
Some IoT devices have a well-known default password that needs to be changed.
The right technologies
Once policies and processes are in place for securing the healthcare IoT, CIOs and CISOs have to make sure they have the right technologies deployed to protect their IoT devices and subsequently their networks.
Todd Greene, chief information security officer at Carolinas HealthCare System in Charlotte, North Carolina, explained that his organization uses, among other things, many of the same technologies used for other products within the organization. And these include segmentation, firewalls, access control lists and intrusion systems.
Santiago of Christiana Care points to some of the same technology solutions and more, including network segmentation, firewalls, intrusion protection systems/intrusion detection systems, and security information and event management software.
“As for tools more specifically targeting IoT devices, we are in the process of evaluating what is available,” she added.
On that note, the technology ecosystem for IoT networks grows daily, said Spanier of Kudelski Security.
“The first technology deployed should focus on visibility,” he said. “A network monitoring platform specifically built for IoT devices allows an administrator to see all of the devices on the network, what state they are in, and if there are any threats that need responding to. Without visibility, there isn’t enough information to identify your risks and deploy other effective countermeasures.”
Manage how connected devices work to limit the threat to the overall network.
Another IoT security technology deployed focuses on securing the network layer. This could simply be setting up VLANs for medical devices to segregate them from the rest of the network, and from each other, in some cases.
“A more advanced approach can use network software to encrypt and dynamically respond to threats to quarantine misbehaving devices from the network,” Spanier said. “Network segmentation helps limit the spread of an infection or threat.”
From a technology perspective, a network access control, or NAC, solution is needed to automatically manage how devices are connected to a network – this is a project Duke Health currently is undertaking, Kesler said.
“It will be one of the most complex security initiatives we have undertaken due to the diversity of devices that connect to our wired and wireless networks, but it also promises to provide a significant reduction in risk because we will be able to determine what level of network access to provide to a device based on whether it’s in our inventory of known devices, as well as its security posture,” he explained.
“This will be a transformative technology when it comes to managing the IoT because we will be able to limit the network access provided to these devices if they have gone through the proper channels to be connected to the network,” he added. “We also will have the ability to more easily filter vulnerable devices off the network.”
Network segmentation with intrusion protection/detection systems can help prevent larger breaches.
Big advice from CISOs
Ultimately, when asked what is the biggest piece of advice they would share with their peers when it comes to securing IoT devices, three healthcare CISOs have plenty to offer.
“Start by building an inventory of what you have, and use vulnerability scans to identify where you have critical vulnerabilities on those devices,” said Kesler of Duke Health. “In particular, look to see which of these devices are exposed to the Internet, as those are the most likely to be attacked or used to spy on your organization, such as in the case of unsecured webcams or teleconferencing systems. A really easy way to do this is to use the Shodan website, Shodan.io, which is a search engine for IoT devices.”
“Start by building an inventory of what you have, and use vulnerability scans to identify where you have critical vulnerabilities on those devices”
Chuck Kesler, Duke Health
Don’t try to stop the use of the IoT because you probably will not succeed and likely already have IoT devices within your four walls, said Greene of Carolinas HealthCare.
“Listen to the needs of your business units and then determine how to balance those needs with the proper security controls to reduce your risk exposure,” he added. “Make sure your business leaders understand you are there to help them do their jobs more securely, not prevent them from doing their jobs.”
The most important advice is not to re-invent the wheel, said Santiago of Christiana Care.
“At the core of it all, it’s about risk management,” she said. “If you have sound processes in place for managing information security risks, follow the same processes. The controls may be different, but if you are consistently following a risk management framework, the other pieces will fall into place.”