Report: Exposed Medical Devices, Supply Chain Attacks Pose Major Cyber Risks
This coming May marks the anniversary of the WannaCry attack, yet, a year later, researchers found that the scare of ransomware may not have resulted in more secure healthcare environments, rather the attack surface has only expanded.
In a new report, “Securing Connected Hospitals,” researchers with Trend Micro, a global cloud security solutions company with U.S. headquarters in Los Angeles, took a deep dive into the threats and areas of exposure within healthcare networks. The report, which provides research on exposed medical systems and supply chain risks, was released in collaboration with HITRUST.
“As hospitals and other healthcare facilities adopt new technology, add new devices, and embrace new partnerships, patients get better and more efficient services — but the digital attack surface expands as well. The more connected they get, the more attractive they become as lucrative targets to threat actors,” researchers wrote in a recent report.
Although the research report is extensive, the report highlights two aspects of healthcare networks that researchers feel IT teams need to consider as part of their overall security strategy—exposed medical devices and the supply chain.
Using Shodan, a search engine for internet-connected devices, the researchers looked for healthcare-related cyber assets and found that a large number of hospital systems are exposed on the internet. The researchers discovered exposed medical systems, healthcare software interfaces and even misconfigured hospital networks, that should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices can potentially be leveraged by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnet and install ransomware.
Specifically, researchers found that several Digital Imaging and Communications in Medicine (DICOM) servers were exposed, including those owned by 21 universities. “These DICOM servers should not be exposed online. Exposed medical systems potentially jeopardize critical data such as patients’ personally identifiable information (PII) and medical records,” the researchers wrote in the report.
“Altogether we found a surprisingly high number of exposed servers that process and store medical images such as computed tomography (CT) and magnetic resonance imaging (MRI) scans and X-rays through Shodan. Along with medical systems were exposed ports, databases, and we even identified misconfigured hospital networks,” the researchers wrote in the report.
Researchers also found a handful of exposed electronic health record (EHR) system interfaces. “Perpetrators can, with additional effort, disrupt hospital, clinic, and pharmacy operations by corrupting sensitive data, issuing incorrect device commands, infecting systems with ransomware, and so on,” the report states.
Additionally, using threat risk assessment models, the researchers found determined DDoS attacks to be the most serious overall threat to healthcare organizations.
Aside from the risks brought on by unsecured medical devices and systems online, healthcare IT teams should also develop a plan of action for another oft-neglected mechanism of hospital operations— the supply chain, the report notes. Weaknesses in the supply chain have led to high-profile breaches in other industries such as retail.
Supply chain threats are potential risks associated with the suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity.
“Given the fluid and unique nature of the partnerships hospitals form with each and every third-party vendor or contractor, healthcare IT teams must closely study their networks for supply chain weaknesses, which could lead to a cyberattack,” the report states.
The researchers specifically identified a number of vectors that pose potential risks:
Device firmware attacks—Threat actors can access and modify a medical device’s firmware source code to add malicious functionality or install a backdoor.
mHealth mobile app compromise—mHealth mobile apps can be compromised to change functionality, deliver fatal-level dosages, expose personal health data, penetrate other hospital systems, and cause HIPAA violations.
Source code compromise during manufacturing—Perpetrators can access and modify software source code via backdoor installation or device rooting.
Insider threats from hospital and vendor staff—Fueled by a desire for revenge or sometimes through sheer negligence, staff may abuse access privileges, leading to a breach.
Website, EHR, and internal portal compromise—Perpetrators can attempt to compromise hospital websites, EHR software, and internal portals used by hospital staff and vendors.
Spear phishing from trusted email accounts—Threat actors can gain control of vendor credentials and send clients
While healthcare IT teams have competing priorities, the report recommends a number of technical solutions as a baseline: Network segmentation; firewalls; next-generation firewalls/Unified Threat Management (UTM) gateways; anti-malware solutions; anti-phishing solutions; breach detection systems (BDS); Intrusion Prevention/Detection Systems (IPSs/IDSs); encryption technologies; patch management (physical or virtual); vulnerability scanners; deception technologies; and Shodan scanning.
The human aspect is also a crucial element of the overall security strategy. IT teams must conduct regular social engineering drills and provide training for all employees and relevant third-party partners, the report states. What’s more, an incident response protocol and team, consisting of people from different hospital departments, should be established.
The researchers also offer a number of supply-chain-specific recommendations. Healthcare IT teams should perform vulnerability assessments of new medical devices. Bring your own device (BYOD) programs should include authentication using Network Access Control (NAC) before allowing network access.
Healthcare organizations should purchase medical devices from manufacturers who go through rigorous security assessments of products during design and manufacture. And, healthcare IT teams should develop a plan for patching and updating code or firmware for devices implanted in patients and hospital medical equipment. Healthcare IT leaders should perform risk assessments of all suppliers and vendors in the supply chain, and should identify third-party vendor software and perform security and vulnerability testing to ensure they are safe from hackers. Penetration testing of the hospital network by professional pen-testing companies is highly recommended.
