Medical Device Security @HIMSS 2019

Armis will be attending the Healthcare Information and Management Systems Society (HIMSS) conference in February 2019. This has become the bellwether conference for people concerned about security in healthcare environments. Armis will be speaking at the conference, discussing the challenges of protecting medical devices and medical IoT, as well as some of our recent findings. So I thought I would write a few thoughts before the show.
Looking back at 2018, it’s obvious that things have continued to get worse from a security perspective. If you need proof:

• According to Health IT Security News, 8.7 million records were breached in the first three quarters of 2018. This is well over the total number of records which were breached in all of 2017 (5.6 million).
• Radware reported that the average healthcare organization spent $1.4 million to recover from serious cyber attacks.
• Ransomware attacks grew three-fold last year, with healthcare organizations bearing the brunt of the attacks.
• McAfee Labs reported vulnerabilities in the RWHAT protocol which is used by many different vendors’ connected medical devices including EKG machines and vital signs monitors.
• ICS-CERT reported that a vulnerability in Phillips PageWriter Cardiograph devices would remain for several months before Phillips could issue a fix.
• The Department of Health and Human Services issued an alert that cyber attackers are increasingly using Trojans such as Emotet and Trickbot to attack healthcare delivery organizations because, unlike ransomware, the Trojans are better suited to harvest personal health data. Personal health data (PHI) can be even more valuable on the black market than a one-time ransom payment.

If you are looking for even more examples of how challenging it can be to secure medical devices, you can read my previous healthcare-related blog post in July 2018.

All this caused the good folks at the ECRI Institute (they are the people who invented the crash cart) to conclude last month that cybersecurity is the most significant threat to healthcare operations in 2019 – more significant than surgical complications, infections, and other traditional concerns.

Why is the healthcare industry suffering so greatly? Armis has a unique vantage point in that we are able to see all devices – medical and more – among all of our customers and compare one industry to another. We see that the percentage of unmanageable devices in healthcare environments is higher than any other industry. This means the attack surface is greater, so it is easier for attackers to break into healthcare networks. At the same time, statistics from the FBI and other sources show that the motivation to attack healthcare delivery organizations is higher than for other industries: the value of a breached healthcare record on the black market is higher than literally any other type of record.

The key thing to understand is the situation is likely to get worse before it gets better. Deloitte reports that the Internet of Medical Things market is growing at 31% per year. And Ponemon Institute reported that 67% of medical device manufacturers say an attack on their medical devices is likely, but just 17% of those companies are taking significant steps to thwart cyber attacks.

This level of insecurity is astounding. You would not expect this behavior from vendors such as Microsoft, Apple, Google, etc. But somehow, this behavior is tolerated from biomedical device vendors.

As I stated in my prior blog post, traditional security products are not designed to defend against the Internet of Medical Things threats, so I won’t repeat that here. But I would like to give you some examples of things that Armis has recently seen in healthcare environments.

• Infected biomedical devices such as CT machines, ultrasound machines, and nuclear imaging machines sending large amounts of data to external domains and IP addresses.
• Passwords and sensitive DICOM information were transmitted by X-ray machines and other biomedical devices unencrypted over the Internet.
• Biomedical devices communicating with command and control (C&C) sites in Russia
• Biomedical devices infected with WannaCry were trying to spread their infection across the network
• Improperly segmented networks allowing computers within the hospital to communicate with, and be remotely scanned by, devices on the Internet
• Infusion pumps compromised by malware while connected to patients
• Crash carts being used to access Facebook as well as  phishing websites

If you are going to the HIMSS conference, stop by and see us at Booth number #400-39. We’ll explain to you how we found these things. More importantly, we’ll show you how you can passively and continuously track all your medical devices for real-time threat assessment and mitigation. This will let you take advantage of new medical devices and medical IoT safely, and avoid a disastrous cyber attack on your organization.

And please — come listen to Armis’ presentation on Wednesday, February 13, at 12:15 PM in the Cyber Security Theater on the HIMSS expo floor.

I hope to see you at HIMSS!