By Xu Zou, CEO and co-founder, Zingbox.
Recent research was published by the Washington Post about malware that was created to disrupt medical imaging equipment and networks. This is yet another wake-up call for the healthcare industry that been underinvesting in security for the last decade. Quite simply, there is a misconception that hospitals’ internal networks are a safe harbor from external cyberattacks. This is despite the fact that the real-world data has repeatedly shown that healthcare is one of the top industries under attack for the last five years. While previous attacks mainly focused on stealing personal health information, this research demonstrates how serious or even deadly an attack to healthcare can be.
There are a few reasons why cyberattacks in healthcare today can have devastating consequences.
Medical device vulnerabilities
Many medical devices inside hospitals are running decade old operating systems and applications that have many well-known vulnerabilities. In fact, it may be a surprise to many that the vast majority of imaging systems run on Windows OS. Further, recent Zingbox research shows that today, 1 out of 4 imaging systems run on OSes that are no longer supported. By next year, 85% of imaging systems are expected to run on End-of-Lifed OSes as Microsoft terminates support for some of their popular Windows OSes.
To make matters worse, most medical device manufacturers lack strong in-house cybersecurity expertise. While their expertise lies in device reliability and accuracy, which continue to be top requirements for connected medical devices, the lack of cybersecurity expertise puts the device reliability and accuracy into question. The lack of cyber-specific expertise also limits manufacturers’ ability to “bake in” cybersecurity measures on the device.
One might think that patches and upgrades are the answer. Unfortunately, no. FDA certification and other requirements pose significant hurdles for manufacturers to apply patches or upgrades to devices already deployed at hospitals.
Tools designed for IoT
Many hospitals lack the tools to monitor life-critical devices with 100% assurance of uninterrupted service and care. Such tools must be completely transparent to the device and in no way interfere or hamper its operation. Yet, organizations continue to rely on traditional IT security solutions for IoT. Such network security tools like firewalls and antiviruses result in security gaps that hackers can easily exploit.
Vulnerabilities that stem from inadequate IoT security tools:
- Most network security solutions often cannot discern a PC from a CT scanner, whereas such a distinction is critical for cybersecurity.
- CT scanner’s communication is almost never encrypted, device access doesn’t require basic authentication, and given the mobility of typical CT scanners, the devices can be connected to any internal network, according to Zingbox’s research findings.
- Connecting a device to any network breaks the basic micro-segmentation policies IT teams have been encouraged to deploy for cybersecurity.
The research from the Washington Post article should be a wake-up call for healthcare to invest in modern tools tailored for IoT, such as artificial intelligence (AI)/machine learning (ML) used to streamline operations without heavy resource investment. Solutions based on AI/ML can analyze the behavior of devices such as a CT scanner with relatively stable and predictable behaviors. Such solutions are very effective and high performing, without the limitations of traditional IT solutions or need for large resources.
Siloed organization structure
One of the main reasons healthcare providers don’t have a unified IoT security plan today is that they are organized in silos — IT and clinical teams, sometimes referred to as operations teams (OT) are in different organizations that don’t share information and best practices. A comprehensive medical device security strategy must cross the silo barriers to involve multiple members from both the IT and clinical sides of the organization.
Gartner refers to this collaboration as “Real Time Health Systems” (RTHS), a combined IT and clinical team that has 100 percent ownership of the most critical infrastructure inside the hospital. An RTHS will have clear goals, develop streamlined processes and protocols, and have clear accountability to address cybersecurity challenges. Any effective organization-wide security solution must enable such IT-OT convergence and embrace and encourage cross-domain exchange and information sharing. According to Gartner, healthcare providers must speed up the process to get IT-OT convergence.
While the recent research is alarming, there are several measures healthcare providers can implement today to greatly reduce the exposure to cyberattacks. The measures range from streamlining the organization to investments in the right tools to maximize the resources hospitals already have. At a minimum, healthcare providers should reassess their security coverage for medical devices and begin formulating comprehensive security strategies.