There are many different types of medical devices such as infusion pumps, CT machines, scanners, bedside devices and countless others. Many of these devices are utilizing old versions of operating systems, network protocol software and more. Any medical device connected to the internet is at risk of a cyberattack, and devices that receive and transmit data are the most vulnerable. These medical device vulnerabilities can be exploited by bad actors:
- Inflict patient harm by modifying or deleting PHI data, or by compromising the device integrity
- Make devices unusable by taking over device controls
- Use them to connect to other devices on or off internal networks
Cyberattacks on Unmanaged Medical Devices are Highly Probable
Nearly 70 percent of medical device manufacturers say an attack on their medical devices is likely, but just 17 percent of those companies are taking significant steps to thwart cyberattacks, according to research from the Ponemon Institute.
Despite the growing threat to medical devices and the fact that the governments in most countries have published some form of guidance on best practices for managing devices, the security risks have largely been ignored. Most large healthcare providers lack a documented strategy for protecting them.
Historically medical device patching has proven incredibly difficult and has been infrequent. In most cases, it is resource intensive requiring a physical visit to the hospital to update the device software – when and if updates are made available by the device manufacturer.
Within the next five years, medical technology companies anticipate that 68 percent of their devices will be connected through IoT, up from 48 percent now, according to an online a survey Deloitte conducted with 237 companies.
Protecting Currently Deployed Medical Devices
Medical device design, hopefully and with regulatory pressure, will build in security-by-design for new devices and will make patching and updating software easier and less resource intensive. But what about the millions of devices that are currently deployed? The majority of them are unmanaged medical devices and not even registered with IT security teams. So how can organizations get a grip of this rather large attack surface that is just sitting on the network waiting to be exploited?
In October 2019 in the UK, NHS Digital provided guidance for protecting medical devices which is good advice for any organization to follow. They recommended the following steps should apply to any network connected medical device regardless of operating system:
- Identify medical devices
- Create a mitigation plan
- Apply mitigations to reduce the likelihood of compromise
- Apply mitigations to reduce the impact of compromise
- Understand third party connections
- Periodically review your estate
Identifying & Securing Medical Devices with Behavior Analytics
To enable healthcare organizations to identify unmanaged medical devices connected to the network they have to have a way of detecting which devices are connected to the network and who they are communicating with. Similarly, before creating a mitigation plan, the devices themselves need to be understood. What are the methods of communication that are available?
Gurucul is able to facilitate the identification and protection of unmanaged medical devices.
Gurucul Security Analytics and Operations Platform ingests massive amounts of data to enable organizations to monitor an unlimited number of devices across the network. This includes IoT patient health sensors and machines, security cameras, baby cameras that parents can access from outside the hospital network, and more. The Platform automatically creates a behavior baseline for all devices, and constantly monitors them for deviations in volume, activity, time, place, actions, etc. Each medical device is generally designed to do one thing. Whenever a device varies from that action, it’s usually because it has been compromised or is malfunctioning.
When deviations are identified our integrated SOAR capabilities allow customers to automate responses to anomalous behavior before damage occurs. Responses should stop or block the anomalous behavior by integrating with the organizations security systems. Alerts are also required to ensure that support teams are able to remove the affected device from service as soon as possible – to reduce the risk of patient care being affected. Customizable reporting facilities allow medical devices to be tracked and reported on for compliance purposes.
Gurucul also monitors medical devices that are turned on/off intermittently, not just their IP addresses, and even captures new devices, which may or may not have been formally registered through the IT department. This bridges the gap in time where devices are introduced and not yet registered and managed under IT security, closing an avenue for exploits and insider threats.
Providing insight into the medical device estate, its usage, down periods, locations and changes in behavior can be truly mission critical. The possibilities of cyberattacks on such critical infrastructure increases the risk of patient care issues on a daily basis. To learn how to secure unmanaged medical devices, visit the Gurucul Medical Device Discovery & Monitoring security solutions page.