Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How Medical Device Vendors Hold Healthcare Security for Ransom

While being pummeled by ransomware attacks, healthcare centers also face growing IoT-related threats. Here's how they manage security amid a complex set of risks.

(Image by leowolfert, via Adobe Stock)

Four-hundred-ninety-one ransomware attacks slammed US healthcare organizations in the first three quarters of 2019 alone, according a recent report by Emsisoft. Cyberattacks on healthcare are reportedly already 60% higher than 2018 figures. The US Food and Drug Adminstration FDA just issued warnings about an urgent remote code execution vulnerability affecting millions more medical devices than initially thought.

And yet IT security teams at hospitals and healthcare centers are hampered in their efforts to defend against these threats, hamstrung, in part, by vendors that fail to take security seriously. 

Figure 1: (Image by leowolfert, via Adobe Stock) (Image by leowolfert, via Adobe Stock)

Thomas August, CISO at John Muir Health, a healthcare system compromising two acute care hospitals, a behavioral health center, and community health practices throughout the east San Francisco Bay area, has seen his peers wrestle with ransomware attacks. He has his own ideas on why organizations in his industry are such popular targets.

August points out that the devices on his networks are split between traditional IT systems in the billing and records functions, and advanced Internet of Things (IoT) devices in the healthcare delivery areas. Many of those IoT devices are built on software and operating systems that are archaic and unpatched (think Windows 95).

And then the news gets bad.

Many of the medical devices attached to the hospital network are managed, under contract, by the vendor.

"In the case of medical devices specifically, the vendors have historically not done a very good job of owning their end of the bargain," August says. "They don't allow health systems to patch. They don't allow health systems to put anti-malware on them. They don't allow health systems to change admin credentials. There's a lot of things they don't allow the health systems to do, and if we try to do it it breaks the warranty."

So these are the types of choices August is faced with: leave a radiology scanner open to vulnerabilities or protect a radiology scanner with antivirus knowing that if the AV causes the scanner to malfunction, the device manufacturer will refuse to cover any repairs and the hospital will likely need to replace that million-dollar radiology scanner. The usual security monitoring tools that work for other systems, like SIEMs, also won't work for these embedded systems. 

As he talks about the impact of the situation, August doesn't mince words. "In a lot of regards, the systems that we have are subject to the vendors really owning their responsibility here, and there's nothing we can do about it," he says. "It's very, very, frustrating."

But frustration doesn't equate to inaction for August and other healthcare CISOs.

"For the most part, we segment them off and just keep them in their own private Idaho because there's very little else we can do," August says. "If I can't keep certain devices from accessing the Internet by putting filters up, I can segment them in such a way that they have no way to get to the Internet, period."

When faced with a variety of different devices with varying levels of built-in security capabilities and update status, not to mention management responsibility and ownership, proper segmentation is key to overall network health, August suggests.

But while unpatched IoT devices may be a key source of frustration, the critical sources of and reasons for ransomware infection lie elsewhere.

(continued on next page)

(continued from page 1)

Electronic medical records (EMR) are the regulated law of the land, and if something happens to them, then patient lives are at risk. That's the sum to the right in the calculus used by ransomware criminals when choosing their victims. 

Several factors may contribute to the popularity of healthcare organizations as a ransomware target. The first, as noted prior, is the critical nature of the data held as hostage. A second could be that the smaller healthcare organizations so often hit tend to have relatively small IT staffs — a trait they share with the small municipalities hit in a wave of ransomware attacks earlier this year.

The third significant factor is that the software used to create and manage EMR is rather homogenous in the US. A single vendor, Epic, has more than half the market share (58%) in hospitals with more than 500 beds, and two vendors — Epic and Cerner — have 54% of the total EMR market.

August points out that the primary infection vectors for ransomware, as with almost all malware, are email clients and Web browsers. For those infection points, August says the traditional combination of user education and endpoint anti-malware systems are important.

Beyond the basics, though, August says IT security teams should become more aggressive in their use of advanced techniques to improve visibility into the activity on and around the network.

"There are other things people can do either through the use of additional monitoring tools, like honeypots, network sniffers, and other things to get additional visibility to these networks," he says.

Reach Out
Finally, August says it's important for security professionals to communicate with their peers to understand the threats they all face.

"We're all in this together," he says. "There's a whole lot of security folks that all want to do the right thing, and it's hard."

There is a lot to know, he says, and only by leaning on one other can security professionals learn from one other and hope to stay ahead of attackers.

Related Content:

 

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights