Report: Healthcare Systems Need to Improve IoT Device Security

March 17, 2020
Devices such as X-Ray machines often run end-of-life operating systems with known vulnerabilities, according to Palo Alto Networks’ Unit 42 research team

Many healthcare organizations are continuing to display poor network security hygiene, according to a study from vendor Palo Alto Networks’ Unit 42 research team. For instance, they found that 83 percent of all medical imaging systems they studied run on end-of-life operating systems with known vulnerabilities and no security updates or patch support.

Unit 42 threat intelligence and IoT security experts analyzed security incidents throughout 2018 and 2019 across 1.2 million IoT devices in the United States and collected them in their 2020 Unit 42 IoT Threat Report.

The researchers found that the general security posture of IoT devices is declining, leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten.

The white paper highlights several weaknesses in the healthcare sector, including staffing and departmental silo issues. For instance, in hospitals, biomedical engineers maintain the medical devices, but they often lack training and resources to follow IT security best practices, the report said. They also don’t maintain the underlying operating systems that power the devices. Because connected devices such as X-Ray machines often run end-of-life operating systems with known vulnerabilities, they pose a high risk to the health system’s operations. New attacks exploit vulnerabilities in the underlying operating system to target medical IoT devices.

 Due to their long lifecycles, medical IoT devices are among the worst offenders of running outdated and, in many cases, end-of-life operating systems, the report said. These devices are neither maintained by IT nor supported by the operating system vendors.

 The most basic IoT risk remediation practice is network segmentation, the Unit 42 research team notes. “Despite this, only 3 percent of all segmented networks or virtual local area networks (VLANs) in the healthcare organizations we studied contained strictly medical IoT devices, and 25 percent contain non-medical IoT devices (IP phones, printers, etc.).”

 Seventy-two percent of healthcare VLANs house a mix of medical IoT devices, generic enterprise IoT devices, and IT devices. So an infected laptop could target surveillance cameras and DICOM viewers found in the same network. “This is low-hanging fruit for healthcare organizations to address this year,” the report concludes.

Sponsored Recommendations

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...