Freeman Health System has approximately 8,000 connected medical devices at 30 facilities in Missouri, Oklahoma and Kansas. Many of these devices have the potential to be lethal at any time. “This is the doomsday scenario that everyone fears,” said Skip Rollins, chief information officer and chief information security officer at the hospital chain.
Rollins hopes to be able to scan devices for vulnerabilities and install security software on them to ensure they can’t be hacked. But he can’t.
“Vendors in this area are very uncooperative,” he said. “They all have proprietary operating systems and proprietary tools. We can’t scan these devices. We can’t install security software on these devices. We can’t see what they’re doing. The vendors intentionally deliver them this way.”
Vendors claim their systems are unbreakable, he said. “We said, ‘Let’s put it in the contract.’ They wouldn’t.”
This may be because these devices may have a large number of vulnerabilities. According to a report released earlier this year by healthcare cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that attackers can easily find online, or run older, unsupported versions of Windows.
The attacker did not sleep. According to Ponemon research released last fall, attacks on IoT or medical devices accounted for 21% of all healthcare breaches — the same percentage as phishing attacks.
Like other health care providers, Freeman Health Systems is trying to get equipment vendors to take security more seriously, but so far, it hasn’t been successful. “Our vendors will not work with us to resolve the issue,” Rollins said. “This is their proprietary business model.”
Therefore, some devices are located in areas accessible to the public, some have accessible USB ports, are connected to the network, and do not directly address security concerns.
With budgets tight, hospitals cannot threaten vendors that they will retire old equipment and replace it with newer ones, even if newer, safer alternatives become available. Therefore, Freeman Health uses network-based mitigation strategies and other workarounds to help reduce risk.
“We monitor traffic coming in and out,” said Rollins, who uses Ordr’s traffic monitoring tool. Firewalls can block communications to suspicious sites, and lateral movement to other hospital systems is limited by network segmentation. “But that doesn’t mean the device can’t be compromised because it’s caring for patients,” he said.
To complicate matters further, blocking these devices from communicating with other countries may prevent critical updates from being installed. “It’s not unusual for equipment to go into China, South Korea or even Russia because the components are manufactured in all those parts of the world,” he said.
Rollins said he was unaware of any real-life attempts to harm others by hacking into medical devices. “At least today, most hackers are looking for a payday, not to hurt people,” he said. However, nation-state attacks like the SolarWinds cyberattack targeting medical devices have the potential to cause untold damage.