Cyber risk in health continues to grow, with more and more attacks being reported. Attacks can cause disruption to mission critical services, loss of data, and breaches of privacy, but unique to hospitals are the risks to our patients and staff arising due to the co-existence of medical devices on modern unified and shared network infrastructure.
US-based not-for-profit, the ECRI Institute, listed cybersecurity attacks at the top of the list of hazards for 2022 due to the large volume of connected devices in hospitals, both medical and non-medical. Cyber vulnerabilities are published frequently by manufacturers and vendors of software, building control systems, and Internet of Things (IoT) and medical devices, that require corrective action ranging from software patching through to replacement or isolation.
Complications on undefined responsibility
Added complexity arises due to undefined responsibility for asset management, monitoring sources of vulnerability alerts, and remediation across all disciplines. Hospital IT Departments often purposely exclude active management of networked building control systems and medical devices on the assumption that these will be appropriately managed by others, often the vendor or service provider. The real risk is not knowing what you don’t know.
It is unrealistic to expect to maintain a level of detail in the asset database that accounts for every connected device’s relevant connectivity attributes which includes information such as location, operating system, version, vulnerabilities, IP address, and MAC address, without the use of an automated discovery tool.
Cabrini Health is a Catholic, not-for-profit private health service located in the south-east of Melbourne, Australia. Inspired by the mission and ethic of care of the Cabrini Sisters, it has provided care to its community for over 70 years. With hospitals in Malvern, Brighton, and Elsternwick, it offers a comprehensive range of acute, rehabilitation, palliative care, mental health, and homecare services.
At Cabrini Health there are 27,683 connected devices that have recently been seen across the corporate and guest networks, of which only 2,845 are medical (see Figure 1). Of these, 11,516 are identified as high-risk due to unmanaged vulnerabilities, while 275 devices are identified as operational technology (OT), which includes items such as building access controllers.
It is not until an inventory is built that the magnitude of the issue becomes apparent. Compared with many public hospitals, Cabrini is far more basic, as it does not have an electronic medical record that requires many devices to be networked, and some legacy connected equipment cannot be seen by discovery tools, because it is on physically segregated networks.
Prioritisation and location are key
Resources are always limited, so risk stratification is an important way to allow prioritisation of an ongoing programme of work. It is also worth noting that high-level controls — such as VLAN segregation and firewalls, can provide a safe zone for devices identified as high-risk, which cannot be hardened, or where they are no longer supported by the vendor, which is very common in building control systems and medical devices. Asset location visibility is not only useful for management personnel, but also for containing an attack; this, however, becomes difficult at scale, especially if departments and individuals add new IoT and IoMT devices to your network without your knowledge. This shadow IT challenge can turn ugly if any of these devices have default passwords or lax security. Without you knowing they have entered your environment, there is no way to secure them appropriately.
The location of fixed devices can be managed through a variety of different tools, but typically an asset management software tool can include location information and port numbers. In this way cross-referencing can be used to determine the location of the device if the switch port and patching information are available. Tracking down mobile equipment can be a challenging task, but standard network tools can be used to assist. The diagram in Figure 2 depicts wireless mobile devices found using a common wireless location device.
Hackers don’t need complicated methods for obtaining access to hospital systems. For example, remote access systems are used routinely in hospitals to give vendors access for technical support. This method of entry into a hospital system is seen as a common target because — by nature — this point of entry is publicly accessible. Intended to meet legitimate business needs, such as allowing off-site clinicians to access clinical data, or vendors to troubleshoot systems installed at the facility, remote access systems can be exploited for illegitimate purposes.
Attackers take advantage of unmaintained and vulnerable remote access systems to infiltrate an organisation’s network. Once they gain access — whether through medical or non-medical assets — attackers can move laterally to other connected devices or systems, installing ransomware or other malware, stealing data or rendering it unusable, or hijacking computing resources for other purposes, such as to generate cryptocurrency. Safeguarding assets requires identifying, protecting, and monitoring, all remote ingress points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access.
Published cyber vulnerabilities
Cyber vulnerabilities are published frequently by manufacturers and vendors of software, building control systems, and Internet of Things and medical devices that require corrective action — ranging from software patching through to replacement or hard firewalling. These vulnerabilities and their associated alerts and recalls do not always reach the hospital, and are not always communicated using the normal methods, meaning that they can slip past the usual risk management teams in the business. Having a clearly defined responsibility matrix is key to an effective and proactive preventative maintenance schedule for connected devices.
There are many connected hospital devices in plain sight that continue to operate on unsupported operating systems and remain unpatched, even as cyberattacks continue to grow in the highly targeted healthcare sector. Take the example of nurse call systems. International experts report that 48% of nurse call systems have unpatched Common Vulnerabilities and Exposures (CVEs). This level of vulnerability makes such systems some of the higher risk Internet of Medical Things (IoMT) devices. Infusion pumps, which are used to provide fluids mechanically or electrically to patients, are the second riskiest IoMT devices, with almost a third (30%) operating with unpatched CVEs. In addition, 27% of these devices carry unpatched critical severity CVEs.
When it comes to medication dispensing systems, 86% have unpatched CVEs. Just under a third (32%) of these devices operate on Microsoft Windows versions that are no longer supported. Over half (59%) of IP cameras in clinical environments have unpatched CVEs, of which 56% are critical severity. Protecting every type of connected device, medical, IoT, and even the building management system, with full visibility and continuous contextualised monitoring, is a key element to ensuring patient safety.
Even though your data may be hosted locally by a global cloud services provider, staff who reside in different jurisdictions can access your data and configuration details from overseas. In circumstances where your data is hosted locally in your own data centre, or global cloud service provider, staff in various jurisdictions abroad can access your data, network and storage configuration details, and will have hypervisor access. The main issue is that it is often impossible to know who is accessing what data, even if legitimately.
For example, at Cabrini we can see material amounts of data transfer across dozens of different countries. Figure 3 highlights the fact that there are over 2,000 devices communicating to China and Russia, some of which are medical.
Cabrini’s approach
Using one of the better known IoMT network monitoring tools, Cabrini Health has taken a proactive approach on a journey toward best practice. To date we have achieved:
Visibility of 24,716 networked devices of all types.
Accurate detection and association with specific asset.
Identification of 51 Risk Alerts and 13 Threat Alerts, and
Risk stratification, where 8,333 devices have a high-risk profile, of which 397 are medical in nature.
This information has been synthesised into a programme of work involving IT, Facilities Management, and Biomedical Engineering, which includes patching, firewalling, network segmentation, and equipment replacement. A further unexpected benefit has been the improved asset identification, which in turn has provided the ability to report and understand device utilisation and analytics. This provides better decision-making processes around device procurement, usage optimisation, maintenance, and service planning around networked hospital devices.
While not claiming to be an expert, the journey thus far spanning several years has been a steep learning curve. The following suggestions are made to assist those that may be less advanced in securing non-traditional IT networked devices. Making your healthcare organisation secure and protected against the risk IoT devices exposes you to requires a mix of fundamental cybersecurity practices and targeted efforts.
Ensure you have the appropriate asset visibility and inventory solutions
Make sure you have the tools and process to know exactly what is making up your environment and what is interacting with your network. This is crucial for ensuring that your additional safeguards and protective solutions are incorporating all of your devices.
Change all default passwords to pass-phrases
If you haven’t already, make sure that all connected devices in your network and environment have a secure password, not the default one the manufacturer put in place.
Ensure that generic passwords are not used for service access
Where possible, issue time-limited temporary access. Service network passwords are used without the hospital knowledge, often shared, or written down.
Ensure that all switches do not use default port settings — e.g. all set to VLAN 1
VLAN 1 was never intended to be used as standard VLAN to carry network data. By default configuration, any Access Link on a Cisco switch is set to VLAN 1, causing a major security issue, as direct access to the network backbone is given. As a consequence, VLAN 1 can end up unwisely spanning the entire network if not appropriately pruned.
Maintain a regular patch management process
Just like with any tool or software, IoT device manufacturers often release security updates to nullify any discovered vulnerabilities or exploits. Failure to update these devices on the organisation’s side is an easy way to leave yourself vulnerable.
Leverage network segmentation tools and maintain logical grouping together with current documentation
To limit the potential of a malicious attacker using an IoT device as their way into your organisation’s network, you have to isolate IoT devices by placing them in their own network via network segmentation. This ensures that, even if a device is compromised, an attacker can’t reach your network, where more sensitive files or assets can be found.
Use monitoring tools to detect unusual behaviour
Network, device, and traffic monitoring tools can detect whether a device has been accessed by an unknown or new user, if multiple attempts to access a device have been made, or whether a device is behaving erratically in case of a compromise. These tools will alert you to any issues, and give you more time to react appropriately.
Employ an endpoint detection and response (EDR) solution
An EDR tool, used for all endpoints, not just IoT devices, is a must for all organisations in today’s environment. If you don’t have one yet, make sure you do your due diligence to find an EDR solution that works with your particular industry and make-up or organisation, as well as your needs.
Do not document logon details on laminated sheets, or in readily accessed documentation
In hospitals there are many casual or temporary staff that need access to IT infrastructure. Elimination of shared passwords is basic hygiene.
Ensure vendor service and service contracts include management of software patches
Patching is best performed by the equipment vendor or specialist support company.
Conclusion
Healthcare IoT and IoMT cybersecurity is just part of modern security hygiene and preventative maintenance. The risk introduced by IoT, medical devices, and building control and management infrastructure, represents yet another aspect of healthcare cybersecurity that requires attention and resources. The healthcare sector is under attack in a major way, and it’s time that health Facilities managers see cybersecurity improvement as an absolute necessity, dedicating the budget and staff appropriately. While it’s still not always feasible for in-house solutions or teams to address all the risks and concerns these organisations are currently facing, hospital Facilities managers should consider partnering with cybersecurity solutions experts who offer a wide suite of cybersecurity services and tools dedicated to preventing compromises, while also providing important resources in case a company is breached or a hacker makes their way in. I will leave you with this final thought: ‘Imagine if the lift controller systems were shut down; patients could not be moved effectively to theatres and wards for urgent critical care.’
Acknowledgment
This article, titled ‘Attacking cyber risks that are unique to hospitals’ was first published in the July 2023 issue of Healthcare Facilities, the official journal of the Institute of Healthcare Engineering, Australia. HEJ wishes to thank the author, the IHEA, and the magazine’s publisher, Adbourne Publishing, for allowing its reproduction here in slightly edited form.