He points out there is a broad variety of medical technologies and medical IT that gets deployed.
“Networked computing devices that are specific to the medical industry — such as equipment directly hooked up to patients, or medical imaging servers — tend to not be directly deployed on the public internet, especially for larger and better funded organizations,” Kraning notes.
However, there are multiple IT systems, including medical administration systems, that modern healthcare providers use to run their businesses.
That’s where Kraning sees the highest risk: Through these systems, which are less directly centered on patients, attackers can break in and eventually obtain access to more sensitive systems containing patient data.
The risk lies not in the system that directly houses, for example, all patient imaging and all electronic medical records, but instead can be found in what Kraning calls “side doors,” through which attackers can enter the network.
“Once they’re on the inside, they will move laterally and get into these more sensitive systems,” he explains. “For the healthcare sector in particular, there are a lot of these side doors that attackers know how to take advantage of.”
The Importance of Getting Health IT Basics “Right”
Kraning says very few organizations can track everything they have centrally. This is especially true for a large multiregional hospital network.
“They’ve grown through acquisitions, and when you do acquisitions, there will likely be redundancies and reductions of IT staff,” he says. “If you had a large hospital with a substantial IT staff, they were probably tracking a fair amount of IT services, but usually this entire enterprise process is done at a static point in time through spreadsheets and email.”
When most of those people are let go, he says, that knowledge often goes with them. The enlarged organization likely will never know where all the IT is located or what its current state is, and it “definitely” is not going to be tracked in a central way.
“Therefore, over time, old systems don’t get recognized as such, and if companies have security policies and technologies, they might be deployed on only 60 percent of their assets because they didn’t know about the other 40 percent,” Kraning says.
EXPLORE: Read tips for securing the Internet of Medical Things.
What became apparent through the Palo Alto report, he explains, is that the attack surface management failures begin with many of the more standard “nuts and bolts” IT management strategies on which any organization must focus.
“For organizations as important as healthcare, you need to get the IT basics right,” he says. “I think they get a lot of the medical IoT basics done quite well with respect to not being directly exposed on the internet. But, unfortunately, they’re giving the attackers a side door because a lot of the IT basics are not being taken care of.”
From Kraning’s perspective, the most important steps a healthcare organization can take is first improving visibility over all networks and potential access points, then prioritizing remediation, which means developing systems for scoring risk severity and understanding when something is vulnerable.
“Not only do you need continuous visibility over all your assets, but you also need the ability to remediate quickly and understand what you have and if it’s vulnerable,” he says.
Brought to you by: