Exactly How Vulnerable Are IoMT Devices?
Healthcare has become the most targeted industry for cybercriminals, the American Journal of Managed Care finds, with as many as one-third of all U.S. patient data breaches occurring in hospitals.
The CyberMDX report notes that the U.S. is home to some 120 million connected medical devices and clinical assets — all of which are vulnerable to attack.
One of the latest security issues to impact medical devices — BlueKeep — is yet another reminder. A weakness in Microsoft’s Remote Desktop Protocol service, BlueKeep is feared by security teams because it could be deployed as a worm in a similar manner to EternalBlue, which helped power the WannaCry attack that affected tens of thousands of medical tools in England and Scotland.
Large or small, such breaches happen for a reason: “There’s a low threshold of entry on those devices,” says Charles Christian, vice president of technology for Franciscan Health, which operates 14 hospitals in Illinois and Indiana. “Once you’re in, you’re in, and those devices are able to be used as tools in a denial of service attack.”
“WannaCry didn’t just impact computers, it impacted medical devices,” Christopher Frenz, associate vice president of information security for Interfaith Medical Center in Brooklyn, N.Y., said last week at the CDW Protect SummIT in San Antonio. “And losing a medical device is a problem.”
The problem is so great that at least 10 U.S. hospitals reported they had to turn away patients last year after being compromised by ransomware.
Despite repeat warnings of the potential for this type of attack, many Windows systems remain at risk. CyberMDX’s 2020 Vision report states that 22 percent of all Windows devices found in a typical hospital are susceptible to BlueKeep, primarily due to a lack of relevant patching. Among all connected medical devices running on Windows, that figure more than doubles.
The Human Risk Associated with IoMT Devices
Internal misconduct accounts for 56 percent of all incidents in healthcare, making it the only industry where cyberharm is more often inflicted by insiders, a Verizon report finds. While the vast majority of those threats are unintentional, they still pose a danger.
IoMT devices have one inherent weakness that could be addressed to reduce these incidents: passwords.
“We’ve seen there was at least a couple of massive denial of services attacks that were done by using IP-based security cameras that had a default password in it, that couldn’t be either easily changed or changed at all,” says Christian.
Russell Jones, a partner with Deloitte’s Cyber Risk Services, considers the use of hard-coded credentials and passwords as the No. 1 vulnerability associated with IoMT.
“From the kinds of attacks that we’ve seen out in the wild, hard-coded credentials or hard-coded passwords that are tied to a privileged account with permissions to do anything in a system are a huge vulnerability,” Jones told HealthTech in an interview.
The value of eliminating passwords for security purposes was echoed by other security professionals this month at CDW’s Protect SummIT.
“I do want to see passwords eliminated,” Theresa Payton, CEO of Fortalice Solutions and former White House CIO, said in her conference keynote. “My worry about our push to no passwords, however, is that it’s just replaced with something else.”