Updated: December 5, 2022
When our health is at risk, the last thing we want to think about is IoT cybersecurity. However, the truth of the matter is, healthcare IoT threats are a serious issue. Many of the devices doctors use to diagnose us and keep us healthy can be hacked â just like a computer. Whereas, unlike a computer, devices like MRI machines, IV pumps, and even pacemakers canât be protected by traditional security tools.
The software on these devices is difficult and sometimes even impossible to upgrade. Without updates that fix bugs and patch vulnerabilities, these healthcare devices could become victims of a cyberattack. To make matters worse, itâs hard to monitor them since they canât accommodate traditional software agents.
Cyberattacks and Security Breaches in Healthcare
There is a lot of evidence that shows the risks are real:
- The FDA approved a firmware patch for vulnerabilities affecting implantable cardioverter defibrillators that were used by over 350,000 patients.
- Hackers have compromised X-Ray, MRI and other medical machines
- A Russian company is  selling zero day exploits to hack into health information management software
Medical Devices and Cybersecurity
Imagine being responsible for security at a facility where medical devices can be infected by ransomware, or left vulnerable to having medical information stolen. This is the situation at most hospitals, where MRI machines run old versions of Windows that are no longer supported by Microsoft.
Some manufacturers stipulate that their devicesâ operating systems canât be upgraded like regular IT equipment without voiding the manufacturerâs warranty. That makes these devices extremely vulnerable to an attack and can put patient care at risk too.
Some MRI machines run operating systems as old as Windows XP, which hasnât been updated by Microsoft since April 2014. These versions of Windows have the EternalBlue vulnerability, the central exploit of a WannaCry attack.
Itâs not uncommon for an MRI machine to be connected to the main hospital network, and typically the vendors of these machines require hospitals to open up ports to the public Internet for remote vendor support. Without the underlying operating system patches, these devices are sitting ducks.
Why Existing Security Products Canât Help Defend Against Healthcare IoT Threats
Here are some of the limitations of traditional IT security solutions in protecting IoT devices in healthcare environments:
- Firewalls are designed to protect the enterprise perimeter. They keep unknown traffic and unauthorized users out. However, when they have a port opened up (as is often required by medical device manufacturers), they donât work so well. Also, when an MRI machine is infected by WannaCry, the firewall typically canât detect that event.
- NAC (network access control) is designed to authenticate enterprise computers and ensure that each type of device is placed on the correct network segment. When an NAC system detects a medical device and places it on its assigned network, its job is done. NAC doesnât monitor traffic, and it certainly wonât detect anomalous behavior.
- IPS (intrusion prevention system)Â isnât much help unless it has been installed on the correct network segment and has the appropriate signatures. Generally speaking, IPS is not going to help against attacks on medical devices.
- UEBA (user and entity behavior analytics)Â products are designed to ingest logs which are typically generated by agents and other security tools. These tools are only as good as the data they receive and often have a visibility gap with respect to unmanageable IoT devices. Most medical devices, like MRI machines, do not produce log files.
Learn how Armis can help your healthcare organization with medical device cybersecurity, threat detection, and response.
Related articles:
Choosing and Using Healthcare IT Metrics and KPIs for Medical Device Security
Share this Article
Get Updates
Sign up to receive the latest from Armis.