With the significant rise in cyberattacks, the healthcare industry needs to secure its systems and devices against an onslaught of attacks. Leon Lerman, CEO and co-founder of Cynerio, shares why the security of connected medical devices is an integral part of the Internet of Medical Things (IoMT).
The Internet of Medical Things can be a challenging task. Hospitals typically have hundreds, even thousands of connected medical devicesOpens a new window — with more being connected each year — and these devices face multiple vulnerabilities.
Between 2019 and 2020, healthcare breachesOpens a new window in the U.S. increased by 55%. Over 67% of those breaches were caused by hacking and IT incidents, with about 24 million patient records being exposed to unauthorized parties as a result of cyberattacks.
For instance, ransomware can infiltrate connected devices and then spread out to other parts of a hospital or health system’s network. In other cases, outdated vendor firmware can allow attackers access to slip in and take control of the devices. Additionally, unmanaged communications services like HTTP and Telnet can open Healthcare IoT devices up to bad actors.
The only true way to mitigate these threats is by implementing a security architecture called zero trust. While zero trust is growing in popularity — 72% of organizations across every sector plan to implement the zero trust approach by the end of this year. This method operates differently from established, perimeter-based security models, and has yet to be widely adopted in the healthcare industry.
Also Read: Rise of the Digital Twin in Industrial IoT: Here’s What You Should Know
Zero Trust: A Security That Trusts No One
Traditional security approaches have focused on building security “perimeters†and ensuring that attackers cannot penetrate that perimeter. Zero trust turns this thinking on its head. Rather than employing a perimeter, all connections and events on the network are considered malicious and unreliable. In other words, ‘zero trust’ is given to all components of a network.
While in operation, zero trust security makes several assumptions. All users whether they’re employees, contractors or guests of the organization could be malicious. Systems and equipment are assumed to be compromised.Â
Confidential data are assumed to be accessible to those with ill intent. The same policies should be applied to assets and workflows that live on the network or outside of it.
Zero trust security authenticates any access between two components within a network. After that authentication is completed, users, applications and devices are only given the minimum number of privileges they need to function.
The reason for this total absence of trust is to safeguard networks even as threats and boundaries continue to grow increasingly complex. This also helps safeguard devices from multiple kinds of threats.
Fighting Threats in Healthcare Environments With Zero Trust
Healthcare organizations face several key vulnerabilities. Many unknowingly use connected medical devices that run expired versions of operating systems, and thereby are no longer receiving security updates. Ransomware can leverage these vulnerable operating systems to spread laterally from device to device.
Sometimes, outdated firmware makes devices vulnerable to malware. For instance, the Ripple20 family of 19 vulnerabilities, which were identified last year, allow hackers to hijack control of any of hundreds of millions of connected IoT devices across the world or to steal information from them. Additionally, the Urgent/11 group of firmware vulnerabilities, which were announced in 2019 and still impact medical devices today, make millions of devices susceptible to similar cyberattacks.
Meanwhile, devices like IP cameras and attendance clocks are commonly managed over HTTP, an unmanaged communications service with basic authentication that can risk exposing credentials through plaintext. Many medical and IoT devices also often use generic protocols like FTP or HTTP for necessary device maintenance. These protocols often have default passwords that can’t be changed, so bad actors that find those passwords can use these devices to steal or corrupt data, or even disrupt the device’s functionality.
Zero trust security can safeguard healthcare organizations from all of these threats. For example, blocking unauthorized connections between devices thwarts ransomware and malware’s ability to spread across a network. It prevents communications between malware and command and control. It also keeps bad actors from performing denial of service with vulnerable devices and from extracting data using malware.
With zero trust in place, unmanaged communications services are usually allowed only for essential communications. By ensuring every connection is authorized, verified and authenticated and that communications are controlled on a case-by-case basis, zero trust security ensures tight controls on these unmanaged services.
Also Read: Are Your Connected Device Firmware and Application Updates Secure?
Getting Started With Zero Trust
Healthcare cybersecurity professionals can take a few steps towards building a zero trust environment:
-
- Â Identify all connected devices on your network: Zero trust policies cannot be applied to devices that security and IT teams don’t know about or can’t manage. Hospitals can use asset management solutions to identify all of the connected medical and IoT devices on their network, which is a crucial element to implementing zero trust policy across your devices.
- Â Set up policies to block unnecessary communications with Healthcare IoT devices: When mapping out your organization’s devices, ask yourself multiple things about each category of devices. What communications protocols does the category use? Do its devices need to communicate over the internet? What other devices does the category communicate with? Can these devices access other devices or networks that aren’t necessary for normal operations?
- Â Segment the network to confine attackers to a specific segment: Segmenting connected IoT devices prevents their security vulnerabilities from being exploited. Collaborating with clinical engineering and healthcare technology management teams is key when defining segmentation policies, as their input will ensure that segmentation doesn’t interrupt clinical data flow, which can disrupt patient care.
- Harden services running on connected devices to mitigate security impact: Hardening involves processes like applying security patches, upgrading software, closing unused ports, limiting unnecessary functions and requiring authentication on all communications channels. For connected devices that don’t support basic security activities or that have hardcoded unnecessary functions, focus on the devices with the highest security risks and security vulnerabilities that are most critical towards patient care and sensitive data.
- Â Quarantine infected devices to contain breaches: When devices critical to patient care are infected, they can’t just be turned off. So, establish monitoring and incident response procedures to find breaches and infections in real-time, and keep devices continually functional. Use segmentation to isolate the device, and once planned device downtime occurs, patch or clean the device to eliminate the threat.
- Â Identify all connected devices on your network: Zero trust policies cannot be applied to devices that security and IT teams don’t know about or can’t manage. Hospitals can use asset management solutions to identify all of the connected medical and IoT devices on their network, which is a crucial element to implementing zero trust policy across your devices.
Also Read: Digital Twins: What Do They Enable for Your Organization?
Put the Patients’ Trust in Zero Trust
Cyberattacks are dangerous to any organization. But they can turn deadly when they hit healthcare networks, as they can compromise patient records and disrupt medical treatments, ultimately threatening patient safety. By treating every entity on a healthcare organization’s network as a malicious threat, zero trust security ensures that no bad actors whether real or imagined, can disrupt the care that an organization’s patients need.
Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.