SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Connected medical devices pose serious security risks for healthcare firms
Mon, 5th Mar 2018
FYI, this story is more than a year old

Healthcare organisations around the world may be using medical devices that come with serious cybersecurity risks, according to research coming from some US hospitals and clinics.

That research suggests that network traffic passing through internet-connected medical devices lack real-time insights.

Combined with a lack of solutions to secure those devices and no clear industry reports as to how to mitigate those risks, the study from Zingbox says there are many hurdles ahead for healthcare providers.

The most common connected medical devices include infusion pumps (deployed in 46% of surveyed healthcare firms), imaging systems, patient monitors and point-of-care analysers.

Other common connected devices include ECG machines, patient tracking, nurse call systems and medical printers.

Imaging systems have the most number of network applications at an average of seven per device – at least three of these are used for communications outside an organization.

Most other devices also include applications that communicate with other devices and servers within an organization's network.

Security risks vary from outdated software or operating systems to rogue applications, unpatched firmware, unprotected or weak passwords, obsolete applications, risky internet sites and user practice issues.

“Imaging systems have the most security issues. They account for 51% of all security issues across tens of thousands devices included in this study. Several characteristics of imaging systems attribute to it being the most risky device in an organization's inventory.

“The distributed nature of imaging systems with devices, servers and various nodes interconnected, also contributes to many security issues. As noted earlier, imaging systems also house the most number of network applications per device.

Virtual LANs (VLANs) are common ways of identifying and locating devices on the network as part of a micro-segmentation strategy to limit lateral infection.

88% of hospitals in this case have fewer than 20 VLANs containing medical devices – Zingbox says this is far too few VLANs to support any micro-segmentation strategy.

Only 2% of organizations have more than 100% VLANs – a clue that there may be over-segmentation in some networks.

“Note the void between these two extremes. We expect more and more organizations to fill in this area as they implement tools and processes to gain additional visibility into the device context and use it for onboarding.

VLANs may not even be used for protecting medical devices, the research states. PCs take up 43% of VLAN monitoring; followed by medical devices themselves (23%), printers, tracking systems, IP phones, network equipment, smartphones and tablets, and surveillance cameras.

“Such wide range of devices found in medical VLANs promote cross contamination and lateral movement of infections. The first course of action organizations should take is to remove PCs from their medical VLANs, followed by tablets, and then other non-medical IoT devices such as surveillance cameras and IP Phones.

“The non-medical IoT devices should be moved to other non-medical VLANs. Of course, in order to implement these changes, organizations must first gain visibility into their VLANs and be able to accurately identify devices.

The report recommends three strategies for managing connected medical devices:

Real-time visibility into device deployment and inventory – Most healthcare providers lack the visibility into the devices deployed in their network and the network topology themselves. The first step to formulating an effective strategy is to base it on an accurate inventory of devices and network configurations.

Control rogue application and communications – Inappropriate or unauthorized use of applications account for a large portion of security issues identified across connected medical devices. Applying contextual enforcement policies based on the individual device types can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.

Develop strategies for top vulnerabilities and risks – No two healthcare organizations are alike. Hence, every organization should assess their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans starting with their biggest exposure.