While the average cost of a data breach Exceeded $9 million in 2021The calculation of a large-scale physical cyber attack in the healthcare industry remains undefined and unexpected. In the midst of international cyber conflict and a spectrum of threat actors, the US government has begun to shed new light on a growing problem.
Despite the emergence of ransomware, many industry stakeholders remain unknown when it comes to understanding the cyber-physical risks associated with operational medical technology, the Internet of Medical Things (IoMT), and the digital components of operations and facilities management.
From business records to patient data and diagnoses, scheduling, treatment, prescriptions, payments, utilities and more, Medicare has been digitized. One topic cuts across the landscape of cyber threats to medical technologies, devices, hospitals, and public health facilities: confusion.
Often presented without security policy alignment, paying to roll many connected endpoints into a “single pane of glass” results in a trade-off between technologies that are easy to deploy but difficult to secure. Much like the house of mirrors, the responsibility to understand and mitigate cyber risks in healthcare is hard to distinguish, and often depends on who you ask, particularly when it comes to non-enterprise systems and devices.
The IoMT represents a two-way mirror that provides a window for targeting Med-tech and healthcare networks and activities. Strictly encrypted passwords and credentials are targeted, user interfaces are hijacked from manufacturers, change management processes are circumvented, and pervasive vulnerabilities continue to affect thousands of devices around the world.
Operational medical technology, IoMT technologies, and facility systems encompass a wide range of machines and configurations, to include diagnostics and patient monitoring machines, such as anesthesia machines, bed monitors, medical imaging equipment, insulin pumps, fluid pumps, ventilators, and a growing list of sensors, cameras, wearables, and analytics that enable or inform On the state of equipment, operations and processes.
Healthcare cybersecurity concerns are multifaceted, including vulnerable technologies designed without security in mind, internet-connected devices used directly in patient care, smart buildings and automated facility technology.
Such as FDA notes“Failure to maintain cybersecurity throughout the lifecycle of a medical device product can result in a breach of functionality, loss of medical or personal data, inadequate data integrity, or the spread of security threats to other connected devices or networks…resulting in Harm to the patient such as illness, injury, or death as a result of delayed treatment or other effects on the availability and functionality of medical devices.”
ancient medical technology
Legacy technologies in healthcare are ubiquitous, expensive to replace, vulnerable to exploitation from well-known cyber attack tactics and a growing list of publicly disclosed Common Vulnerabilities and Vulnerabilities (CVEs). Many run on legacy software such as Windows XP and Windows 7 and have limited mechanisms for applying critical patches and updates across large scale, distributed and unmanaged deployments. Resources and manpower limit the ability to track, secure, and fortify every component of legacy medical technology in use today.
At a high level, manufacturers are responsible for product security, lifecycle maintenance, vulnerability detection, creation and deployment of patches and upgrades available for the consistently secure devices and technologies they produce.
End users, simultaneously, are responsible for tracking and remedial vulnerabilities discovered, enabling security features, securing data during transit and at rest, and deploying solutions to monitor the technologies and networks operating in their organization. At the same time, the majority of teams and sites are unwilling to return to manual operations for any extended period of time.
Internet of Medical Devices (IoMT)
According to the Food and Drug Administration, the United States regulates approximately 200,000 medical devices Manufactured by more than 18,000 companies worldwide. Connected smart medical devices include both user interfaces (for patients and healthcare providers) as well as device-machine communications through a network connection.
These devices, which are often able to connect to the Internet, have risks associated with unauthorized access, hijacking of login interfaces to bypass password authentication, distributed denial-of-service (DDoS) attacks, and limited protection of sensitive patient information.
The primary attack surface for IoMT devices is default credentials via SSH. When a system is targeted, the attacker, the infected IoT device, will attempt an average of forty passwords for a handful of usernames. Other common attack surfaces for these devices include UPnP, HTTPS, their core java packages, and various source code modifications.
These systems and variations tend to remain unpatched long after a patch is released due to the fact that most IoT devices are headless (without a user interface) and are not set up for automated updates without the user’s consent to a risk-based statement at the end – User License Agreements.
Connected smart facilities
Medical and health operations and facilities continue to digitize components of non-IT control systems – fire alarm and suspension, electrical and lighting systems, metering systems, vehicle charging stations, and key access controls. When controls are centralized, companies often deploy Building Automation Solutions (BAS) to connect and automate these diverse functions. BAS vulnerabilities can be targeted to gain access to credentials, networks, VPNs, and sensitive data.
In the recent Smart Building sharing, we found 361 insecure protocols in use, 259 open device vulnerabilities, and 37 plaintext (unencrypted) passwords in use.
When taking control of one or more devices, threat actors can coordinate more widespread attacks depending on the level of widespread communication.
The cybersecurity of operations and facilities is arguably most important in a hospital environment where critical residents congregate, and the safe movement of resources, equipment, and personnel is essential. Remote and privatized operations may struggle to find and retain cybersecurity resources.
Big companies and service providers struggle to run huge universities, some equivalent to small towns, serving millions of patients each year and employing tens of thousands of people. Circumvention of building, facility and security control systems can have significant impacts on patient care, patient safety, and service providers. given her Prioritization by the US National Internet AdministratorEarly adopters of comprehensive security practices should chart the course.
If legacy Med-tech, IoMT devices, and utility technology are not the intended target of a cyber incident, the cascading effects could render them useless, resulting in treatment delays and potential harm to patients and providers. When enterprise IT systems fail, they are often cut off from the rest of the network. When operating systems fail, the effects can be property and injury.
This way of working often results in a split between risk management and incident reporting frameworks. In the middle, security incidents continue. This scenario begs the question: Do the IT and utilities teams know what communication networks are connected to, and the potential to exploit these legacy systems, IoT devices, networking, and control systems?
Due to the huge reliance on technologies and the burden of manual processes, hospitals and healthcare providers are minimizing cybersecurity risks, ensuring compliance with rapidly changing regulatory requirements, and working to gain visibility into connectivity, traffic, and anomalies associated with their network behavior.
With the scale of potential risks, transparency is key. A cybersecurity solution designed specifically for Operational Technology and the Internet of Things (IoMT) can:
- Capture and visualize a scene of tens or hundreds of thousands of connected systems and endpoints
- Monitor and audit network traffic in real time, to include non-IT systems
- Baseline and ongoing understanding of the organization’s cybersecurity situation
- Providing actionable intelligence to address the most critical issues
- Restrict third party access and alert about changes to network behaviors or variables
- Strengthen enterprise security policy without loopholes or shadow connection
Photo: Traitov, Getty Images
#MedTech #Health #Facilities #Maraya #Cyber #Security #House