As technology continues to transform the way healthcare is delivered, the industry is burdened by the growing cybersecurity risks inherent in the expansion of connected devices. Understanding that each connected device opens another pathway for threat actors, it’s incumbent upon device manufacturers to keep security foremost throughout the development life cycle.

The question is, how can manufacturers ensure the security of the devices they create? Furthermore, what can healthcare companies do to mitigate the risks inherent in the future of healthcare cybersecurity?

Taking the Pulse of Health Care Cybersecurity Today

Because they are so often the target of cyberattacks, healthcare organizations took a beating once again in 2018. We saw some significant data breaches last year, such as the attack on Med Associates where more than 270,000 patient records were breached.

New research from Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios. Credential misuse continues to threaten enterprise security across all sectors, including healthcare.

“When malicious actors gain access to accounts — whether by weak passwords or phishing attacks — they are given the literal keys to the kingdom,” said Justin Jett, director of audit and compliance for Plixer.

When it comes to medical devices, however, cybersecurity is making progress. According to Leon Lerman, CEO of Cynerio, “We are currently in the increased awareness state where healthcare providers, the Food and Drug Administration (FDA), the Department of Health and Human Services (HHS) and device manufacturers are starting to be more active in the space.”

Moving Toward a More Secure Future

The good news is that healthcare providers at hospitals are starting to include cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively looking for dedicated device security solutions.

According to Lerman, the FDA and Department of Homeland Security (DHS) recently launched a joint initiative to “increase coordination in dealing with threats related to medical devices.” In addition, HHS released cybersecurity best practices to help healthcare organizations manage threats and protect patients from internet of things (IoT)-based attacks and other threats.

Manufacturers have not progressed alongside hospitals, though there are more conversations about strengthening the security of their devices, taking part in cybersecurity testing and streamlining the patching process. In reality, though, it’s only been within the last decade that these conversations have been taking place, and according to Anura Fernando, chief innovation architect at UL, medical devices can take at least that long to develop and get into the market.

“If you couple that with the fact that many devices are used by hospitals for 20–25 years, you can see that there is a major legacy systems issue, with many devices lacking security controls at the device level. Based on that timing offset, it could easily be five to 10 years before we see the complete turnover of equipment in use by hospitals that didn’t even have cybersecurity considered during design,” Fernando explained.

The Challenges of Securing Connected Devices

Legacy systems present myriad cybersecurity challenges, but there are other obstacles to securing medical devices. One that is closely related to legacy equipment is that of component obsolescence.

“When you consider the lengthy development timelines associated with most devices, it can easily be the case that security-related components such as operating systems and microcontrollers cease to be supported by the component vendor soon after a medical device reaches the market,” Fernando said.

As a result, maintenance activities such as security patches are no longer feasible for hospitals. Let’s say that security patches are released by the vendors, however. The time and cost it takes to validate these updates to devices is onerous.

“Even once this validation process is complete, it can be a daunting task to manage the deployment of a patch into the highly dynamic operational life cycle phase of a device, which may be in process of performing critical functions like life support,” said Fernando.

How Health Care Organizations Can Mitigate Security Risks

You can’t protect what you can’t see, so proper visibility into connected devices and their ecosystem is critical. Once you have visibility, understand the risk that each of these devices poses and take necessary proactive measures to minimize this risk, such as network segmentation, patching and removing devices from networks.

By monitoring device behavior and understanding what devices do in the context of medical workflows, you can detect anomalies when devices behave suspiciously. And, of course, early detection enables quicker response.

Strengthening password requirements can help you reduce risk, but when malicious actors gain a foothold, organizations need network traffic analytics to understand where the attack started and determine whether it has spread.

“By looking at how credentials are used throughout the network and creating a baseline of normal usage, network and security teams can be alerted to anomalous credential use and stop attacks as they happen,” Jett said.

Furthermore, all of the different stakeholders in the healthcare value chain need to be invested in securing the future of connected healthcare. Since this is a widespread effort across the healthcare environment, industry leaders should develop guidelines and standards to evaluate whether products and devices meet cybersecurity standards.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…