Since IoT and IT has come at a convergence point, many industries and sectors are being affected in both the good and the bad ways. Similarly, the health sector is wide open to a large array of risks and vulnerabilities. The rapid transition of IT has lead to new and advanced attacks on the health sector.
The report announced insights from 75 different healthcare deployments with over 10,000 VLANs and 1.5 million devices contained within the Forescout cloud with a focus on the 1,500 medical VLANs on more than 430,000 devices it depicted how online anonymity has been the
Healthcare OT Increases Attack Surface
Forescout technologies found that the most common devices on the medical networks are still computing devices (53%) which are then followed by (39%) this includes all VOIP phones, tablets, Smart TVs and network printers.
The OT systems which include the medical devices like critical care systems, facilitation, utilities building automation physical security comprises up of 8% of the devices on medical networks. The three most connected medical devices within the OT category are;
1. Patient Tracking (38%)
2. Infusion Pump (32%)
3. Patient Monitors (12%)
Consider the growing number of the vulnerabilities we can see an evident change in the attack surface in the healthcare sector.
Healthcare Organizations are Clueless about Potential Risks
The report highlights that 71% of the windows devices within the medical sector are running Windows 7, Windows 2008, or Windows Mobile. These windows software have their expiry set on January 14, 2020, which itself is pointing towards windows dominance. Running non-protected operating systems will pose a threat to the entire operating system and may expose further vulnerabilities, which will eventually impact regulatory compliance.
Diversity of Operating Systems Creates Headaches
The diversity of the operating systems, which is present on the medical domain adds up the complexity and increases the challenges of security and privacy. As per the research, 40% of the healthcare deployments had more than 20 different operating systems. More than 30% of the healthcare deployments had 100 vendors on their network. This patching on healthcare, especially the acute care facilities, can be challenging and requires the
devices to stay online. Some devices cannot be patched, and they require vendor’s approval or manual installation by remote maintenance personnel.
Weak Protocol Leave Doors Opened
85% of the devices on medical networks run Windows OS and had Server Block Messaging (SMB) protocol. The SMB protocol allows uncontrolled access to attackers and gives them the liberty to move across the perimeter and move laterally. Device manufacturers are often found leaving the network ports opened by default – often unbeknownst to security staff and IT professionals.
The healthcare industry heavily relies on technology which uses the internet, which makes them digitally connected yet exposed to millions of risks online. Beau Woods a cybersecurity specialist and advocate in the Atlantic Council was once quoted saying; “If the systems are disrupted over the internet, then there is an adversary accident that can lay the deep impact on patient care.”
WannaCry is a popular malware which has targeted thousands of hospitals and pieces of diagnostics. The malware has affected nearly 20,000 patient’s appointments. The attack targeted and exposed vulnerabilities in the Windows operating system where the data is not encrypted or open to read for everyone. Anonymous software is a dire need of time and many experts are compelling people to adopt safe practices while surfing online.
While WannaCry was eventually stymied, Woods argues that health care institutions will continue to make operating systems vulnerable and will result in attacks of greater magnitude.
Caring for Patients Care in the Online World
In November last year (2018), the computer systems in the East Ohio Regional Hospital suddenly stopped working. They were hit by malware, which forced hospital patients to shift their patients from the emergency room. The staff said they had trouble accessing the bedside while conducting an ultrasound and said they had limited access to the CT scan system. “It was a difficult time at the hospital,” says Nick Aulick, the medical director in the emergency room. He further adds while looking back at the situation that “When we were down we didn’t lose hope and that is the reason why the situation didn’t become worse, I think we handled it pretty well.”Cybersecurity is complex and is often misunderstood by doctors or hospital staff. This creates tension between cybersecurity and hospital authorities. It is key for clinicians to understand the importance of cybersecurity since they are in direct contact with the patients.
The point Woods made is somewhat justified, and since the hospital infrastructure is unprepared of such attacks, the damage tends to increase. Woods says that “We must be ready on the fly to counter and give a response to such attacks.” He further adds, ‘Life is still at risk, and there is a lot that needs to be done, that too at a fast pace.” We must push the limits and educate hospital staff about the criticality of the matter. This doesn’t mean we want to turn clinical into hackers, but basic knowledge is a must.