From an economic crisis to staff shortages, lingering demands tied to Covid, and limited public funding – the healthcare sector has been hit with a variety of relentless, complex challenges. To make things worse, the sector is now facing an ongoing barrage of cyberattacks, which not only can result in financial loss but also impact patient care and safety.
Last year, there was a 45% increase in cyberattacks specifically targeting healthcare organisations, and the average cost of a healthcare breach climbed by more than 40%. These numbers are expected to rise further in 2023, as healthcare is predicted to be one of the industries most vulnerable to cyberattacks. But what’s driving this mounting threat?
Like most other industries, the healthcare sector has expanded its digital landscape exponentially in recent years. With the proliferation of Internet of Medical Things (IoMT) devices such as remote patient monitoring systems, point-of-care devices, wearable trackers, patient monitoring sensors, and appointment management kiosks, healthcare networks are continuously being accessed by smart third-party devices.
As IoMT connectivity increases, it will be imperative that security teams have a complete inventory of networked devices. Connectivity increases the attack surface available to attackers, and newly discovered vulnerabilities may be an entry point to the network.
More concerningly, such medical systems and equipment are often digitally connected to each other for better communication and data sharing. A potential disruption or breach can lead to extended downtime in healthcare services, which not only has financial implications, but also degrades patient care.
For example, last year a ransomware attack on Medstar Washington Hospital caused the facility to shut down, as the attack shut down the patient scheduling and appointment system and none of the employees could communicate with the patients or access their medical records. Similarly, the André-Mignot teaching hospital in Paris had to shut down due to its communication and IT systems being affected by a ransomware attack. Consequently, the hospital had to transfer all of its patients to other facilities. As quoted by Dr. Christian Dameff, medical director for cybersecurity at the University of California, San Diego, “we are at a point where bits and bytes are meeting flesh and blood.”
Understanding common vulnerabilities in IoMT medical devices
IoMT devices may be in place for decades, and often the operating systems they run on are no longer supported by the vendor with feature or security updates. For instance, a large number of NHS GPs in the UK are still using a decade-old version of the Windows OS, which is no longer supported by security updates from Microsoft. This is an opportunity for attackers to exploit unpatched vulnerabilities in these legacy systems and access healthcare networks, put patient data at risk, or limit a physician’s ability to evaluate and treat illness.
There’s also concern that many healthcare institutions still use legacy and outdated medical devices. Such devices do not have the functional capabilities to support latest software updates or security features, which create potential vulnerabilities for threat actors to exploit.
Furthermore, IoMT devices often aren’t developed with proactive security in mind. Many medical devices may be poorly configured leaving them vulnerable to external access. Weak or easily guessable default passwords may also be in place; also lacking may be security features, such as encryption, or two-factor authentication that are commonly found in more traditional IT devices.
These vulnerability factors also increase due to a lack of regulation requiring testing of medical devices. Although the MHRA is responsible for conducting conformity assessments of medical devices, these assessments are mostly focused on operational feasibility rather than cybersecurity exposure. Therefore, manufacturers of medical devices might not be properly testing devices for vulnerabilities in a way current standards demand.
How to effectively secure IoMT devices
Securing IoMT devices requires a combination of effective cybersecurity practices and strategies. As IoMT networks extend beyond their conventional network endpoint, it’s imperative to implement proactive practices that can manage the emerging threats and risks from these extended networks.
The following are the key strategies that every healthcare organisation must establish in order to secure their network and mitigate the risks of a potential breach.
Basic cyber hygiene
Basic cyber hygiene is the first step toward securing IoMT devices. It’s imperative that critical systems and devices are not only password protected but also have a layer of multi-factor authentication and strict password policies. Encryption should be applied to all stored and transmitted data across networks.
Regularly update and patch devices
Moreover, regularly updating and patching devices is critical to ensuring that known security vulnerabilities are addressed. Many manufacturers issue security updates, which should be applied as soon as they are available. For hospitals, however, that may be easier said than done as HDO’s are resistant to the downtime that patching of hundreds and possibly thousands of medical devices requires.
Frequent security assessments
Furthermore, regular security assessments are critical to identifying vulnerabilities in IoMT medical devices and networks. This can include vulnerability scanning, penetration testing, and security audits. By regularly assessing the security of their devices and networks, healthcare organisations can identify and address vulnerabilities before attackers can exploit them.
Engaging employee training programmes
Lastly, organisations should develop more interactive and engaging employee training programmes. Simply equipping employees with security guidelines is not enough. Healthcare organisations should develop scenario-driven simulations to ensure their workforce is well-versed in effective threat response.
As the healthcare industry continues to adopt IoMT devices, it is essential that these devices are properly secured to protect patient information. Implementing guidelines discussed above can go a long way in keeping the healthcare sector and its patients secure.
Adopting a strong security culture and staying on top of the latest vulnerabilities are also important steps to securing IoMT medical devices. With the right security practices in place, the healthcare industry can continue to benefit from the many advantages offered by connected IoMT devices while keeping patient information and indeed patient lives safe from the threat actors.
By Sharon Brizinov, Director of Security Research at Claroty