Healthcare IoT Threats Could Make Your Heart Skip a Beat

When our health is at risk, the last thing we want to think about is IoT cybersecurity. But the truth of the matter is, healthcare IoT threats are a serious issue. Many of the devices doctors use to diagnose us and keep us healthy can be hacked — just like a computer. But unlike a computer, devices like MRI machines, IV pumps, and even pacemakers can’t be protected by traditional security tools.

The software on these devices is difficult and sometimes even impossible to upgrade. Without updates that fix bugs and patch vulnerabilities, these healthcare devices could become victims of a cyberattack. Making matters worse, it’s hard to monitor them because they can’t accommodate traditional software agents.

There is a lot of evidence that shows the risks are real:

• The FDA approved a firmware patch for vulnerabilities affecting implantable cardioverter defibrillators that were used by over 350,000 patients.
• Hackers have compromised X-Ray, MRI and other medical machines
• A Russian company is  selling zero day exploits to hack into health information management software

Imagine being responsible for security at a facility where medical devices can be infected by ransomware, or left vulnerable to having medical information stolen. This is the situation at most hospitals, where MRI machines run old versions of Windows that are no longer supported by Microsoft. And some manufacturers stipulate that their device’s operating systems can’t be upgraded like regular IT equipment without voiding the manufacturer’s warranty. That makes these devices extremely vulnerable to an attack, and can put patient care at risk too.

Some MRI machines run operating systems as old as Windows XP, which hasn’t been updated by Microsoft since April of 2014. These versions of windows have the EternalBlue vulnerability, the central exploit of a WannaCry attack. It’s not uncommon for an MRI machine to be connected to the main hospital network, and typically the vendors of these machines require hospitals to open up ports to the public Internet for remote vendor support. Without the underlying operating system patches, these devices are sitting ducks.

Existing security products can’t help defend against healthcare IoT threats because:

• Firewalls are designed to protect the enterprise perimeter. They keep unknown traffic and unauthorized users out, but when they have a port opened up (as is often required by medical device manufacturers), they don’t work so well. And when an MRI machine is infected by WannaCry, the firewall typically can’t detect that event.
• NAC (network access control) is designed to authenticate corporate-owned computers and ensure that each type of device is placed on the correct network segment. When a NAC system detects a medical device and places it on its assigned network, its job is done. NAC doesn’t monitor traffic, and it certainly won’t detect anomalous behavior.
• IPS (intrusion prevention system) isn’t much help unless it has been installed on the correct network segment and has the appropriate signatures. Generally speaking, IPS is not going to help against attacks on medical devices.
• UEBA (user and entity behavior analytics) products are designed to ingest logs which are typically generated by agents and other security tools. These tools are only as good as the data they receive and often have a visibility gap with respect to unmanageable IoT devices. Most medical devices, like an MRI machine, do not produce log files.

If you want to learn more about healthcare IoT threats and similar IoT exploits, check out the white paper “7 IoT Exploits in the Enterprise” which describes:

• Seven exploits and exposures identified by Armis
• How the traditional security solutions are not enough
• Key considerations to protect the Enterprise of Things