Report: Healthcare Systems Need to Improve IoT Device Security

March 17, 2020
Devices such as X-Ray machines often run end-of-life operating systems with known vulnerabilities, according to Palo Alto Networks’ Unit 42 research team

Many healthcare organizations are continuing to display poor network security hygiene, according to a study from vendor Palo Alto Networks’ Unit 42 research team. For instance, they found that 83 percent of all medical imaging systems they studied run on end-of-life operating systems with known vulnerabilities and no security updates or patch support.

Unit 42 threat intelligence and IoT security experts analyzed security incidents throughout 2018 and 2019 across 1.2 million IoT devices in the United States and collected them in their 2020 Unit 42 IoT Threat Report.

The researchers found that the general security posture of IoT devices is declining, leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten.

The white paper highlights several weaknesses in the healthcare sector, including staffing and departmental silo issues. For instance, in hospitals, biomedical engineers maintain the medical devices, but they often lack training and resources to follow IT security best practices, the report said. They also don’t maintain the underlying operating systems that power the devices. Because connected devices such as X-Ray machines often run end-of-life operating systems with known vulnerabilities, they pose a high risk to the health system’s operations. New attacks exploit vulnerabilities in the underlying operating system to target medical IoT devices.

 Due to their long lifecycles, medical IoT devices are among the worst offenders of running outdated and, in many cases, end-of-life operating systems, the report said. These devices are neither maintained by IT nor supported by the operating system vendors.

 The most basic IoT risk remediation practice is network segmentation, the Unit 42 research team notes. “Despite this, only 3 percent of all segmented networks or virtual local area networks (VLANs) in the healthcare organizations we studied contained strictly medical IoT devices, and 25 percent contain non-medical IoT devices (IP phones, printers, etc.).”

 Seventy-two percent of healthcare VLANs house a mix of medical IoT devices, generic enterprise IoT devices, and IT devices. So an infected laptop could target surveillance cameras and DICOM viewers found in the same network. “This is low-hanging fruit for healthcare organizations to address this year,” the report concludes.

Sponsored Recommendations

Trailblazing Technologies: Looking at the Top Technologies for the Emerging U.S. Healthcare System

Register for the first session of the Healthcare Innovation Spotlight Series today to learn more about 'Healthcare's New Promise: Generative AI', the latest technology that is...

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...