Freeman Health System has approximately 8,000 connected medical devices at its 30 facilities in Missouri, Oklahoma and Kansas. Many of these devices have the potential to be lethal at any time. “This is the doomsday scenario that everyone fears,” said Skip Rollins, the hospital chain’s chief information officer and chief information security officer.
Rollins wants to be able to scan devices for vulnerabilities and install security software on them to ensure they can’t be hacked. But he can’t.
“Vendors in this area are very uncooperative,” he said. “They all have proprietary operating systems and proprietary tools. We can’t scan these devices. We can’t install security software on these devices. We can’t see what they’re doing. The vendors intentionally deliver them this way.”
Vendors claim their systems are unhackable, he said. “We said, ‘Let’s put it in the contract.’ They wouldn’t.”
This may be because these devices can be full of vulnerabilities. According to a report released earlier this year by medical cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that attackers can easily find online, or run older, unsupported versions of Windows.
The attacker did not sleep. According to Ponemon research released last fall, attacks on IoT or medical devices accounted for 21% of all healthcare breaches, the same percentage as phishing attacks.
Like other health care providers, Freeman Health Systems is trying to get equipment vendors to take security more seriously, but so far, it hasn’t been successful. “Our vendors will not work with us to resolve the issue,” Rollins said. “This is their proprietary business model.”
Therefore, there are devices located in publicly accessible areas, some with accessible USB ports, connected to the network, and security concerns cannot be directly addressed.
With budgets tight, hospitals cannot threaten vendors that they will retire old equipment and replace them with new ones, even if newer, safer alternatives are available. Therefore, Freeman Health uses network-based mitigation strategies and other workarounds to help reduce risk.
“We monitor traffic coming in and out,” said Rollins, using Ordr’s traffic monitoring tool. Firewalls can block communications to suspicious locations, and lateral movement to other hospital systems is limited by network segmentation.
“But that doesn’t mean the device won’t be compromised while caring for patients,” he said.
To complicate matters further, preventing these devices from communicating with other countries can prevent critical updates from being installed.
“It’s not unusual for equipment to go into China, South Korea or even Russia because the components are manufactured in all those parts of the world,” he said.
Rollins said he was unaware of real-life attempts to harm people by hacking into medical devices. “At least today, most hackers are looking for a payday, not harming others,” he said. However, nation-state attacks on medical devices, similar to the SolarWinds cyberattack, have the potential to cause untold damage.
“Most medical devices are connected back to a central device, using a hub-and-spoke network,” he said. “If they compromise these networks, they disrupt the tools we use to care for patients. That’s a real threat.”
IoT Visibility Struggle
The first challenge in IoT security is identifying which devices are present in the enterprise environment. But equipment is often installed by a single business unit or employee and falls under the purview of departments such as operations, buildings and maintenance.
Many companies don’t have a single entity responsible for securing IoT devices. Doug Clifton, who heads Ernst & Young’s Americas OT and IT efforts, says appointing someone is the first step in getting the problem under control.
The second step is to actually find the device.
Some vendors offer network scanning to help companies do this, according to Forrester analyst Paddy Harrington. Gears from Checkpoint, Palo Alto and others can run continuous passive scans and automatically apply security policies to new devices when they are detected. “It’s not going to solve everything,” he said, “but it’s a step in the right direction.”
Still, some devices don’t fit neatly into known categories and are difficult to guide. “There’s an 80-20 rule,” Clifton said. “Eighty percent of the devices can be collected through technology. The other 20 percent require some investigative work.”
Companies that don’t already have IoT scanning tools should first talk to the security vendors they already work with, Harrington said. “See if they have a product. It may not be the best in class, but it will help bridge the gap, and you don’t have to have a lot of new infrastructure.”
May Wang, chief technology officer for IoT security in Palo Alto, said companies often use spreadsheets to track IoT devices. Each area of the business may have its own checklist. “When we go to the hospital, we get a spreadsheet from the IT department, the facilities department and the biomedical equipment department — all three spreadsheets are different and show different equipment,” she said.
And when Palo Alto scans its environment, these lists often fall short—sometimes by an order of magnitude. Many are older devices, installed days before IoT devices were considered a security threat, Wang said. “Traditional cybersecurity cannot see these devices,” she said. “And traditional ways of protecting these devices don’t work.”
But companies can’t apply endpoint security or vulnerability management policies to devices until they’ve all been identified. Palo Alto now includes machine learning-driven IoT device detection integrated into its next-generation firewall.
“We can tell you what kind of equipment you have, what kind of hardware, software, operating system, what protocols you are using,” Wang said. Palo Alto systems are unable to detect and obtain complete information about each device. “For some of them, it might not be as detailed, but we can get most of the information for most devices. This provides visibility into device discovery.”
Depending on how the technology is deployed, Palo Alto can also select devices based on internal, lateral communications and recommend or automatically enforce security policies for newly discovered devices.
This creates a bigger problem when IoT devices use cellular communications. “A lot of IoT devices are 5G, and that’s going to be a bigger problem,” she said. “We have a department dedicated to 5G security. It certainly brings more challenges.”
A peek inside the Internet of Things
Once IoT devices have been reliably discovered and inventoried, they need to be managed and secured as rigorously as other network devices. This requires configuration management, vulnerability scanning, traffic monitoring, and other capabilities.
Even devices that are not connected to external networks can become intermediate staging points or hiding places for determined attackers to move laterally within a company.
Marcos Marrero, chief information security officer at HIG Capital, faced this dilemma a year ago.
HIG is a global investment firm with more than $50 billion in equity capital under management and 26 offices on four continents. The company has hundreds of devices on its network, such as cameras, physical security equipment and sensors, monitoring temperature, humidity and power within its computer rooms. IoT device security “is a huge issue,” Marrero said. “And it keeps growing and getting bigger.”
As a financial company, HIG takes security very seriously, with a security team overseeing every device installed on its network. “Knock on wood, we haven’t encountered any rogue IoT in our environment,” Marrero said.
But being able to locate devices is just the beginning of the journey. “Then there’s vulnerability and configuration visibility,” he said.
About a year ago, Marrero ran a vulnerability scan on one of the room alarm devices and discovered open ports that did not require authentication. The company contacted the manufacturer and received instructions on how to harden the device. “But we had to ask for it – it was not information that was immediately provided to us,” he said.
He said the vulnerability scans run by the company looked at the device from the outside, finding open ports and operating system type, but little else. “The open source software used in these devices has a lot of vulnerabilities,” he said.
To solve this problem, HIG turned to Netrise’s firmware scanning tool.
“We did a proof of concept and uploaded a firmware image that returned all this vulnerability data and other information,” he said. “That’s what seals it for us.”
Uploading images is a manual process that takes several minutes per image. Due to many duplicate devices of the same type, the company uploaded less than 20 pictures in total. As a result of the scan, the company’s vulnerability list increased by 28%.
“We didn’t know they existed in our environment,” he said. “Yes, we’ve had a spike in vulnerability trends, but half the battle is knowing you have these vulnerabilities in the first place.”
After discovering the vulnerability, HIG contacted the device vendor and implemented additional mitigation measures. “If it’s too dangerous and poses too great a risk to our environment, it could shut down the device,” he said, “or add additional controls around it.”
For example, some devices are segmented on the network