Outdated IoT healthcare devices pose major security threats

More than half (53%) of the IoT (internet of things) and internet of medical things (IoMT) devices used in healthcare contain critical cybersecurity risks, according to The State of IoMT Device Security report by Cynerio, which analyzed devices from more than 300 hospitals in the US.

Cynerio makes IoT and security systems for heathcare providers. For the report, more than 10 million IoT and IoMT devices were scanned. Cynerio used a connector which, when connected to a SPAN (switched port analyzer) port on the core switch of a network, collects device traffic information for each device connected to the network. This information was then analyzed by an in-house AI algorithm to help identify vulnerabilities and threats.

The report found that IV (intravenous) pumps make up 38% of a hospital’s typical healthcare IoT footprint, and 73% of these pumps have at least one vulnerability that could jeopardize patient safety, data confidentiality or service availability if identified by a bad actor.

“Healthcare systems have multiple attack surfaces from the very infrastructure within a hospital to the increased (if not total) digitization of medical records,” says Constellation Research analyst Liz Miller. “The global pandemic sweetened the pot for attackers, and it quickly became open season on networks, systems, and devices.”

The report found that 79% of IoT devices are used at least once a month, while 21% may go without use for four weeks.

Unpatched devices open up big risk

“Once a medical device is used for a patient, it could be in use for days or weeks at a time,” says Daniel Brodie, Cynerio’s CTO. “Many devices have operational requirements of 24 hours a day, 7 days a week, and an interruption, even for patching, could have serious consequences for medical workflows, patient safety, and hospital operations.”

Another factor contributing to the devices missing out on timely upgrades is that a typical hospital network may host a combination of devices from different vendors and streamlining the patching and upgrading process becomes too complex to be achieved within the respective downtime windows, according to Brodie.

Almost half (48%) of the IoT devices scanned in the research used Linux as their operating system which, according to the report, leads to growing concerns as Linux is an open-source platform that has gained much popularity within the bad actors’ community as it powers almost 70% of web servers worldwide.

“We are seeing an increased targeting of Linux devices by ransomware groups in IoT environments,” Brodie adds. “The offenders understand and target their attacks, almost in a customized fashion, to a hospital’s unique setup. It takes longer than a ‘spray and pray’ type of attack, but the potential for payoff is much higher.”

Another key finding of the report is that although only a marginal number of IoT devices in a healthcare setup run on Windows, the critical care sector overall is dominated by devices running old versions of Windows, typically older than Windows 10. These include devices used by hospital departments usually responsible for the direct care of patients like pharmacology, oncology, and labs.

Ransomware leads IoT attacks

Of the many cyberattacks targeting the healthcare space, ransomware has emerged to be the most problematic in recent times. The Cynerio report pointed out that in 2021 ransomware attacks on hospitals increased 123% year-on-year, costing a total of $21 billion from over 500 attacks. The average cost per ransomware attack has been found to be $8 million and each attack is estimated to take an organization around 287 days to fully recover.

Ransomware attacks have become more prevalent in the past two years, according to Forrester analyst Allie Mellen. Due to the nature of healthcare equipment, there can be a lot of challenges to upgrading legacy systems, given the wide array of devices.

Malware or DDoS (distributed denial of service) attacks are the most frequent and tend to turn into ransomware demands. In a typical attack, the devices to go down are the ones that track patients’ vital signs along with the systems that compile the medical history and documentation of each patient, according to Brodie. This is quickly followed by the shutdown of communication systems including email and VOIP phones, making it hard to pass on critical information. Other systems that lose functionality during these attacks include radiology, imaging, PACS (picture archiving and communication system) machines and scanners, IV and insulin pumps, printers, and other network equipment.

Network segmentation could eliminate key vulnerabilities

The report concluded that although URGENT/11 and Ripple20 have made the most recent headlines for being the key vulnerabilities within healthcare IoT devices, they make up only about 10% of the real threat. URGENT/11 and Ripple20 refer to the group of vulnerabilities that allows attackers to circumvent firewalls and remotely take control of the devices through TCP/IP stack without user interaction.

The top vulnerabilities, according to the report, are Cisco IP Phone CVEs (common vulnerabilities and exposures), which comprised 31% of vulnerabilities detected; weak HTTP credentials, with 21% of detected vulnerabilities; and open HTTP port, with 20%.

The report recommends network quarantine and segmentation as the most effective technique to remediate the vulnerabilities, as patching is a difficult fix for IoT devices coming from different vendors. It also emphasizes that a proper balance of network connections, with a mix of the east-west (device to device) and north-south (server to device) form of segmentation, is vital to ensure safety without disrupting connectivity.

“Context is important, in a healthcare environment specifically, you can’t have segmentation interfering with clinical workflows or interrupting patient care, so there is definitely a balance that needs to be struck between connection and severance,” Brodie says. He elaborates that, for instance, the IV pumps could be connected only to the servers at the data centers and not to other servers or devices (in a north-south segmentation maneuver) that may be more easily accessed.