Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

3/19/2018
09:35 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

IoT Use Complicates Security Landscape in Healthcare

As billions of IoT devices are coming online, especially in healthcare, the security landscape is getting increasingly complicated, according to a report from Zingbox.

Securing the expanding universe of billions of Internet of Things devices is anything but straightforward. But in the healthcare sector, it presents unique threats to human safety and operational efficiency.

To date, there's been a dearth of data from hospitals and clinics about the effects of cybersecurity threats and attacks. Over the course of this year, hackers will escalate activity targeted at medical facility weaknesses, with the implication that patient deaths could result, according to Zingbox, a firm based in Mountain View, Calif., that develops IoT device security for the healthcare sector.

However, new information collected from 50 US facilities and tens of thousands of medical devices over 12 months offers those in healthcare a snapshot of where the vulnerabilities are, and how they could be minimized. This study is part of what Zingbox calls the first cybersecurity report for the sector.

The study has some surprising results.

"This [data] gives us a wide-scale view of connected healthcare devices and enables us to pinpoint not just where the vulnerabilities are, but what's triggering the issues," Xu Zou, CEO and co-founder of Zingbox, told Security Now. "Many organizations don't have a clear picture of their networks, or even what devices are connected [across them]."

Bad practice
It turns out that user behavior is the biggest problem. About 40% of security issues noted in the report were created by medical staff using embedded browsers on workstations to access the Internet, conduct online chat or download content. A further 33% of risks on connected medical devices were accounted for by outdated operating systems or software, obsolete applications or unpatched firmware.

Facilities have clearly fallen down here, when policy enforcement and network restriction could cut the number of rogue applications and risky browser usage that inadvertently place patient lives at risk. Any threat that impairs operational wellbeing -- such as a ransomware or distributed denial of service (DDoS) attack -- also reduces the ability to care for patients effectively.

Devices that threaten safety
Any medical device connected to the network poses a threat. These include infusions pumps, imaging systems, patient monitors, ECG machines, nurse call and patient tracking systems. Interestingly, although infusion pumps are the most widely deployed medical device -- and are directly connected to patients -- they are the least susceptible to security threats.

"[We] point out that while infusion pumps make up nearly 50% of connected devices in hospitals, they don't represent the largest attack surface," said Zou. "Security issues relating to pumps were only at 2%, however, attention to protecting these devices should still be a priority since a successful attack on a single pump could result in disabling the bulk of all infusion pumps through lateral movement and infection."

Imaging systems ranked number one in the report as the source of 51% of all security issues. That's partly a product of the sheer variety of imaging systems in place. These range from X-ray, ultrasound and MRI machines, to digital imaging and communications workstations, and picture archiving and communications servers.

It's also a product of the number network applications that run on imaging systems. These devices average about seven network applications per device, more than any other, and three of the applications are specifically for communicating outside of the organization. Other devices are primarily designed for intra-organizational communication, and so they present a reduced threat.

Also, imaging systems are often built on commercial-off-the-shelf (COTS) OS, are expected to have a long lifespan, are expensive to replace and according to the report, often outlive support agreements with vendors.

Device segmentation
Almost nine out of ten hospitals surveyed have less than 20 VLANs to successfully segment and isolate medical devices against lateral movement from an attack. Zingbox views this as too few for almost any size of facility to be of practical cybersecurity benefit. For organizations without the visibility into their connected devices, all they have is a collection of IP addresses without any context.

Organizations looking to VLAN segmentation for protection also need to bear in mind that only about 25% of the devices on healthcare networks are medical. Almost 45% of devices are PCs, with multiple other devices comprising printers, scanners, IP phones, smartphones and surveillance cameras. This is itself is a big weakness since a PC can be attacked and then laterally moved to medical devices.

"Understanding how [attacks] enter our networks is critical to protecting patient data and safety," said Zou. "As we continue to gather more knowledge, we can better arm our staff and networks to prevent these dangerous events."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.