Guarding the Frontier of Health: IoT, Cybersecurity, and Safeguarding Patient Care

Guarding the Frontier of Health IoT, Cybersecurity, and Safeguarding Patient CareImage | AdobeStock.com

UK’s health & care sector continues to battle a rising wave of cybersecurity threats. While the health and social care sector is now much better protected from attacks than it was at the time of the WannaCry cyberattack in 2017, the NHS details of more than a million patients have been compromised in a cyberattack in June 2023.

The average cost of a data breach surpassed $10 million in 2022 but the calculation for a widespread cyber-physical attack in the healthcare industry remains undetermined and unforeseen. Amidst international cyber conflict and a spectrum of threat actors, the UK government is beginning to shine new light on a growing problem.

According to research, between 2022 and 2023, the global healthcare sector saw over 11 million ransomware attempts and over 271 million intrusion attacks. Despite the rise of ransomware, many stakeholders across the industry remain in the dark when it comes to understanding the cyber-physical risks associated with operational medical technology, the internet of medical things (IoMT), and digital components of operations and facilities management.

Medical care has digitised, from business records to patient data, scheduling, treatment, prescriptions, payments, facilities and more. One theme crosscuts the cybersecurity threat landscape of medical technologies, devices, care providers, hospitals, and public health facilities: confusion.

Often introduced without security policy alignment, the push to roll many connected endpoints into a “single pane of glass” results in a trade-off between easy to deploy but difficult to secure technologies. Responsibility for understanding and mitigating cybersecurity risks in health and care settings is difficult to distinguish and often depends on who you ask, especially when it comes to non-enterprise systems and devices.

IoMT represent a two-way mirror offering a window to target med-tech and healthcare networks and activities. Hardcoded passwords and credentials are targeted, user interfaces from manufacturers hijacked, change management processes are circumvented, and widespread vulnerabilities continue to impact thousands of devices around the world.

Operational medical technology, IoMT technologies, and facility systems encompass a wide range of machines and configurations, to include diagnostics and patient monitoring machines, like anesthesia machines and bedside monitors, medical imaging equipment, insulin pumps, fluid pumps, ventilators and a growing list of sensors, cameras, wearable devices, and analytics that enable or report the status of equipment, processes, and operations.

Cybersecurity concerns for health and care are multifaceted, including vulnerable technologies designed without security in mind, internet-connected devices used directly in patient care, and smart buildings and automated facilities technology.

Legacy Medical Technology

Legacy technologies in healthcare are ubiquitous, expensive to replace, and susceptible to exploitation from well-known cyberattack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many run-on outdated software such as Windows XP and Windows 7 have limited mechanisms for applying critical patches and updates across widely distributed and unmanaged deployments. Resources and manpower limit the ability to track, secure, and continuously fortify each and every component of legacy medical technology in use today.

At a high level, manufacturers are responsible for product security, lifecycle maintenance, vulnerability disclosure, and creating and disseminating available patches and upgrades to continually secure devices and technologies they produce.

End-users, simultaneously, are responsible for tracking and addressing discovered vulnerabilities, enabling security features, securing data in transit and at rest, and deploying solutions to monitor technologies and networks operating in their organisation. At the same time, the majority of teams and locations are not prepared to return to manual operations for any extended period of time.

Internet of Medical Devices (IoMT)

According to the Department of Health and Social Care, The UK’s Medicines and Healthcare products Regulatory Agency (MHRA) is responsible for ensuring the quality and safety of approximately 600,000 medical devices.

These devices, often capable of internet connection, have risks associated with unauthorised access, hijacking login interfaces to bypass password authentication, distributed denial of service (DDoS) attacks, and limited protections for sensitive patient information.

The primary attack surface for IoMT devices are the default credentials over SSH. When a system is targeted, the attacker, typically another infected IoT device, will attempt an average of forty passwords for a handful of usernames. Other common attack surfaces of these devices include UPnP, HTTPS, and its underlying packages of java and various source code modifications.

These systems and variations tend to remain unpatched long after a patch has been released due to the fact that most IoT devices are headless (no user interface) and are not set up for automated updates without the user agreeing to a risk-based statement within the end-user license agreements.

Smart, Connected Facilities

Medical and health operations and facilities continue to digitize components of non-IT control systems – fire alarm and suspension, electrical and lighting systems, metering systems, vehicle charging stations, key access controls. When controls are centralised, companies often deploy building automation solutions (BAS) to connect and automate control of these diverse functions. Security flaws in BAS can be targeted to gain access to credentials, networks and VPNs, and sensitive data.

In a recent smart building engagement, Nozomi Networks found 361 unsecure protocols in use, 259 open device vulnerabilities, and 37 cleartext (unencrypted) passwords in use. When taking over the control of one or many devices, threat actors can coordinate more widespread attacks depending on the level of widespread connectivity.

Cybersecurity for operations and facilities is arguably most important in the hospital care setting where critical populations gather, and the safe movement of resources, equipment, and personnel is essential. Remote and privatised operations may struggle to find and retain cybersecurity resources.

Major companies and providers struggle to manage massive campuses, some the equivalent of small cities, serving millions of patients each year and employing tens of thousands of people. Circumventing building, utility, and security control systems can have major impacts on patient care and both patient and provider safety.

A Way Forward

If legacy med-tech, IoMT devices, and facilities technology are not the intended target of a cyber incident, cascading impacts could render them useless, resulting in delayed treatment and potential harm to both patients and providers. When enterprise IT systems fail, they are often isolated from the rest of the network. When operational systems fail, the impacts are property and casualty.

This modus operandi often results in a dichotomy between risk management frameworks and incident reporting. In the middle, security incidents continue to happen. This scenario begs the question: do IT and facilities teams know what is connected to communications networks, and the potential for exploitation of these legacy systems, IoMT devices, networks, and control systems?

Given the outsized reliance on technologies and the burden of manual operations, hospitals and health and care providers are reducing cybersecurity risks, ensuring compliance with quickly changing regulatory requirements, and working to gain visibility into connectivity, traffic and anomalies associated with their network behavior.

The widespread impact of the WannaCry ransomware attack six years ago prompted a significant leap forward in cybersecurity across the NHS, with major investment in new hardware and operating systems as well as security defences.

But there is always the danger of hackers attacking systems that could impact human health, including ventilators, dialysis, imaging, or even entire hospital and medical care networks. Sometimes, the attacks are on adjacent systems that indirectly impact the aforementioned systems, and sometimes the attackers are completely unaware of the downstream impact of their actions, which could cause damage or impact the availability of critical systems.

Therefore, healthcare organisations should implement an automated asset inventory management tool to simplify the process, investing strong identity and access management and network segmentation, and security awareness training for employees.

By Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.