While the average cost of a data breach passed US$9 million in 2021, the calculation of the costs of a widespread cyber-physical attack in the healthcare industry remains undetermined. Despite the much-publicized rise of ransomware, many stakeholders across the medical industry remain in the dark regarding the cyber-physical risks associated with operational medical technology, the internet of medical things (IoMT), and digital components of operations and facilities management.  Amid international cyber conflict involving a spectrum of threat actors, the US government has  begun to shine new light on a growing problem.

Cybersecurity concerns for healthcare are multifaceted, including vulnerable technologies designed without security in mind, internet-connected devices used directly in patient care, and smart buildings and automated facilities technology.

Much like a house of mirrors, responsibility for understanding and mitigating cyber risk in healthcare is difficult to distinguish and often depends on whom you ask – especially when it comes to non-enterprise systems and devices. IoMT represents a two-way mirror offering a window to target med-tech and healthcare networks and activities. Hardcoded passwords and credentials are targeted, user interfaces from manufacturers hijacked, change management processes are circumvented, and widespread vulnerabilities continue to impact thousands of devices globally.

Legacy Medical Technology

Legacy technologies in healthcare are ubiquitous, expensive to replace, and susceptible to exploitation from well-known cyberattack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs).

Many systems run on outdated software such as Windows XP and Windows 7 and have limited mechanisms for applying critical patches and updates across widely distributed, unmanaged deployments. Resources and manpower limit the ability to track, secure, and fortify every component of legacy medical technology in use.

At a high level, manufacturers are responsible for product security, lifecycle maintenance, and vulnerability disclosure. End-users are responsible for tracking and addressing discovered vulnerabilities, enabling security features, securing data in transit and at rest, and deploying solutions to monitor technologies and networks their organizations rely on.

Internet of Medical Devices (IoMT)

The primary attack surface for IoMT devices is the default credentials. When a system is targeted, the attacker – typically another infected IoT device – will attempt an average of 40 passwords for a handful of usernames.

As the FDA notes, the US regulates nearly 200,000 medical devices, manufactured by over 18,000 companies globally. These devices, often capable of internet connection, have risks associated with unauthorized access, hijacking login interfaces to bypass password authentication, distributed denial of service (DDoS) attacks, and limited protections for sensitive patient information.

Smart, Connected Facilities

Medical and health operations and facilities continue to digitize components of non-IT control systems. With centralized controls, companies often deploy building automation solutions (BAS) to connect control of these diverse functions. Security flaws in BAS can be targeted to gain access to credentials, networks, VPNs, and sensitive data. Circumventing building, utility, and security control systems can have major impacts on patient care, and both patient and provider safety.

Building security is a top priority in the US National Cyber Director, where early adoption of holistic security practices can prevent catastrophic outcomes. When controlling one or many devices, threat actors can coordinate more widespread attacks. In a recent smart building engagement, Nozomi Networks found 361 unsecured protocols in use, 259 open device vulnerabilities, and 37 cleartext (unencrypted) passwords stored.

A Way Forward

If legacy med-tech, IoMT devices, and facilities technology are not the intended target of a cyber incident, cascading impacts could render them useless, resulting in delayed treatment and potential harm to both patients and providers. Responses include reducing cybersecurity risks, ensuring compliance with quickly changing regulatory requirements, and working to gain visibility into connectivity, traffic and anomalies associated with their network behavior.

Given the outsized reliance on technologies and the burden of manual operations, hospitals and healthcare providers need to pivot quickly. Cybersecurity scenarios beg the question: do IT and facilities teams know what else is connected to communications networks, and the potential for exploitation of these legacy systems, IoMT devices, networks, and control systems?

When enterprise IT systems fail, they are often isolated from the rest of the network. When operational systems fail, the impacts can be property and human casualties. With the scale of potential risks, transparency is key. A cybersecurity solution purpose-built for operational technology and IoMT can:

• Capture and visualize a landscape of tens or hundreds of thousands of connected systems and endpoints,
• Monitor and audit network traffic in real-time, to encompass non-IT systems,
• Baseline and continuously understand an organization’s cybersecurity status,
• Provide actionable intelligence to address the most critical of issues,
• Limit third-party access and alert on changes to network behaviors or variables,
• Strengthen an organizations security policy without gaps or shadow-connectivity.

Learn more about Nozomi Network’s IoMT and OT visibility and cybersecurity solutions in healthcare and smart hospitals.

This article was authored by Danielle Jablanski, OT Cybersecurity Specialist at Nozomi Networks