Connected medical devices that make up the Internet of Medical Things (IoMT) are improving patient care and operational efficiency. But even as such devices help save lives, they also introduce new security risks. In fact, healthcare is the most targeted sector for cybercrime — a reality underscored recently by a hospital’s discovery that an infusion pump was affected by vulnerabilities known as URGENT/11. These vulnerabilities are more widespread than previously believed, affecting at least six additional real-time operating systems and putting millions of medical devices at risk, including the BD Alaris infusion pump (BD Alaris™ PC Unit). By enabling hackers to take over medical devices, the networks they operate on and other devices connected to that network, Urgent/11 could disrupt critical medical devices that doctors and patients rely on, with potentially life-threatening consequences.
Infusion pumps play a critical role in hospitals delivering fluids, medications, blood and other life-saving aids to patients. The severity of the problem is underscored by advisories the FDA and Department of Homeland Security issued urging manufacturers to take action and ensure patient safety. But given that some, if not all, devices can’t easily be updated or patched, the right course of action isn’t particularly clear.
Healthcare is Ripe for IoMT Threats
Historically, healthcare has been a compelling target for bad actors thanks to a perfect storm of expanding devices, rising volumes and value of data and increased connectivity. Connected devices are growing exponentially in tandem with the collection of more and more sensitive patient data. These organizations deal with very private data that is valuable to hackers. The resale price for a healthcare record is 10 times the resale price of a stolen credit card number. This is because medical records contain more than personal information about a patient’s health; they contain information that can be used for identity theft. According to Reuters, hackers sell patient data on the black market, which buyers can use to create fake IDs to buy medical equipment or drugs that can be resold. They can also combine a patient number with a false provider number to file made-up claims with insurers.
The rise of ransomware attacks on healthcare organizations is becoming too common. Bad actors shut down access to mission-critical systems, devices, and data making it more likely organizations will pay ransomware extortion.
These attacks show a clear path of hackers moving from data theft to device and data manipulation. Today, we see devices and access being denied. But recent vulnerabilities and exploits show the opportunity to change device behavior and associated patient medical information or stats. Imagine if an infusion pump stopped working altogether or a blood pressure monitor or MRI produced misleading data. If healthcare organizations don’t take steps to reduce their risk, medical IoT attacks could threaten not only patient data but patient care directly.
We’re in the midst of a new age of IoMT healthcare, and the scale has never been bigger. Connected medical devices number in the hundreds of thousands and include everything from insulin pumps and glucose monitors to pacemakers and imaging devices. While these devices are reshaping how healthcare organizations provide patient care, they are often left vulnerable. In fact, healthcare had 164 threats detected per 1,000 host devices, on average, in Q1 of 2017 — more than the media, education and food and beverage industries.
What Makes Healthcare So Vulnerable?
This environment of high threat and high risk is even more fraught thanks to specific vulnerabilities of healthcare equipment. Many of the more sophisticated devices (for example, MRI scanners) are based on old, vulnerable operating systems including Windows 2000, Windows XP, and Windows 7. These devices function like black boxes, outside the reach of healthcare IT departments. There are no diagnostic cybersecurity tools that a hospital can use to identify malware on these devices, nor can these devices be patched using normal IT management systems. Such IoMT devices by design have limited storage and computing resources, which means they don’t easily — or simply cannot — accommodate a security agent. That means they can’t be directly monitored or controlled by traditional IT security products or processes. The devices frequently communicate over Wi-Fi, Bluetooth, Zigbee, Z-Wave and other radio frequency protocols that are beyond the scope of traditional network security management tools.
Less sophisticated devices (for example, heart rate monitors and infusion pumps) typically use an embedded operating system. Security fixes for these devices are even more complicated because updated firmware needs to be manually installed when a vulnerability needs to be fixed.
How Healthcare Orgs can Protect Devices and Patients
The first thing healthcare organizations need to do is to identify all the devices — medical and otherwise — in use in their environment and their networks. This will help them understand their risk exposure, identify impacted devices and develop appropriate patching or mitigation programs. But they also need to track the behavior and interactions of those devices to ensure they are not acting improperly. Following the URGENT/11 announcements over the last few weeks, free tools like the URGENT/11 Detector have been made available to help determine if a device is using the IPnet TCP/IP stack, and whether it is vulnerable to URGENT/11. Although some connected devices simply cannot be updated, risk can be limited by segmenting networks in order to limit network access to medical devices. While the world of connected medical devices is fraught, with proper monitoring and planning, we can help ensure that the technology we use to protect our health remains in good hands.