Report: Healthcare Systems Need to Improve IoT Device Security
Many healthcare organizations are continuing to display poor network security hygiene, according to a study from vendor Palo Alto Networks’ Unit 42 research team. For instance, they found that 83 percent of all medical imaging systems they studied run on end-of-life operating systems with known vulnerabilities and no security updates or patch support.
Unit 42 threat intelligence and IoT security experts analyzed security incidents throughout 2018 and 2019 across 1.2 million IoT devices in the United States and collected them in their 2020 Unit 42 IoT Threat Report.
The researchers found that the general security posture of IoT devices is declining, leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten.
The white paper highlights several weaknesses in the healthcare sector, including staffing and departmental silo issues. For instance, in hospitals, biomedical engineers maintain the medical devices, but they often lack training and resources to follow IT security best practices, the report said. They also don’t maintain the underlying operating systems that power the devices. Because connected devices such as X-Ray machines often run end-of-life operating systems with known vulnerabilities, they pose a high risk to the health system’s operations. New attacks exploit vulnerabilities in the underlying operating system to target medical IoT devices.
Due to their long lifecycles, medical IoT devices are among the worst offenders of running outdated and, in many cases, end-of-life operating systems, the report said. These devices are neither maintained by IT nor supported by the operating system vendors.
The most basic IoT risk remediation practice is network segmentation, the Unit 42 research team notes. “Despite this, only 3 percent of all segmented networks or virtual local area networks (VLANs) in the healthcare organizations we studied contained strictly medical IoT devices, and 25 percent contain non-medical IoT devices (IP phones, printers, etc.).”
Seventy-two percent of healthcare VLANs house a mix of medical IoT devices, generic enterprise IoT devices, and IT devices. So an infected laptop could target surveillance cameras and DICOM viewers found in the same network. “This is low-hanging fruit for healthcare organizations to address this year,” the report concludes.