Jul 18, 2018
Healthcare IoT Threats Could Make Your Heart Skip a Beat
Armis Security
Updated: December 5, 2022
When our health is at risk, the last thing we want to think about is IoT cybersecurity. However, the truth of the matter is, healthcare IoT threats are a serious issue. Many of the devices doctors use to diagnose us and keep us healthy can be hacked — just like a computer. Whereas, unlike a computer, devices like MRI machines, IV pumps, and even pacemakers can’t be protected by traditional security tools.
The software on these devices is difficult and sometimes even impossible to upgrade. Without updates that fix bugs and patch vulnerabilities, these healthcare devices could become victims of a cyberattack. To make matters worse, it’s hard to monitor them since they can’t accommodate traditional software agents.
Cyberattacks and Security Breaches in Healthcare
There is a lot of evidence that shows the risks are real:
- The FDA approved a firmware patch for vulnerabilities affecting implantable cardioverter defibrillators that were used by over 350,000 patients.
- Hackers have compromised X-Ray, MRI and other medical machines
- A Russian company is selling zero day exploits to hack into health information management software
Medical Devices and Cybersecurity
Imagine being responsible for security at a facility where medical devices can be infected by ransomware, or left vulnerable to having medical information stolen. This is the situation at most hospitals, where MRI machines run old versions of Windows that are no longer supported by Microsoft.
Some manufacturers stipulate that their devices’ operating systems can’t be upgraded like regular IT equipment without voiding the manufacturer’s warranty. That makes these devices extremely vulnerable to an attack and can put patient care at risk too.
Some MRI machines run operating systems as old as Windows XP, which hasn’t been updated by Microsoft since April 2014. These versions of Windows have the EternalBlue vulnerability, the central exploit of a WannaCry attack.
It’s not uncommon for an MRI machine to be connected to the main hospital network, and typically the vendors of these machines require hospitals to open up ports to the public Internet for remote vendor support. Without the underlying operating system patches, these devices are sitting ducks.
Why Existing Security Products Can’t Help Defend Against Healthcare IoT Threats
Here are some of the limitations of traditional IT security solutions in protecting IoT devices in healthcare environments:
- Firewalls are designed to protect the enterprise perimeter. They keep unknown traffic and unauthorized users out. However, when they have a port opened up (as is often required by medical device manufacturers), they don’t work so well. Also, when an MRI machine is infected by WannaCry, the firewall typically can’t detect that event.
- NAC (network access control) is designed to authenticate enterprise computers and ensure that each type of device is placed on the correct network segment. When an NAC system detects a medical device and places it on its assigned network, its job is done. NAC doesn’t monitor traffic, and it certainly won’t detect anomalous behavior.
- IPS (intrusion prevention system) isn’t much help unless it has been installed on the correct network segment and has the appropriate signatures. Generally speaking, IPS is not going to help against attacks on medical devices.
- UEBA (user and entity behavior analytics) products are designed to ingest logs which are typically generated by agents and other security tools. These tools are only as good as the data they receive and often have a visibility gap with respect to unmanageable IoT devices. Most medical devices, like MRI machines, do not produce log files.
Learn how Armis can help your healthcare organization with medical device cybersecurity, threat detection, and response.
Related articles:
Get Updates!
Sign up to receive the latest news
