Healthcare Under Siege

The Critical Threat of Cloud and IoMT Vulnerabilities

By Ty Greenhalgh, Industry Principal, Healthcare, Claroty

The healthcare sector is grappling with a perfect storm of challenges: economic uncertainty, staff shortages, COVID-related backlogs, and scarce public funding. Now, cyberattacks are escalating the crisis, with threats to both finances and patient care.

Cyberattacks targeting healthcare organisations surged by 45% last year, while the average cost of a breach rose by over 40% since 2020. With 2023 predictions pointing to healthcare as a prime target for cybercriminals, the stakes have never been higher.

The rapid expansion of the digital landscape, particularly the Internet of Medical Things (IoMT), leaves healthcare networks vulnerable. Devices like remote monitoring systems and digital insulin pumps can unwittingly provide entry points for attackers.

Worse still, interconnected medical systems risk widespread disruption when breached, affecting vital services and patient care. Ransomware attacks such as those on Medstar Washington Hospital and André-Mignot teaching hospital in Paris highlight this grave reality.

As Dr. Christian Dameff, Medical Director of Cybersecurity at UC San Diego Health, aptly puts it, “we are at a point where bits and bytes are meeting flesh and blood.” Now, more than ever, it’s crucial for security teams to secure healthcare’s digital landscape, protecting both the industry and the patients it serves.

The growing risk of vulnerabilities in cyber-physical systems 

The convergence of cyber-physical systems and IoMT devices is transforming healthcare services in a positive direction, by enabling real-time monitoring and analysis of patient data, and creating more effective opportunities for personalised treatments. Such technologies are also enhancing healthcare efficiency by automating processes, reducing human error, and facilitating remote healthcare services. All of these factors are significantly improving healthcare accessibility and cost-effectiveness.

At the same time however, this convergence is also creating a ticking time bomb of security risks. As medical systems become highly integrated into the cloud and remote servers, there is a growing risk of potential cyberattacks disrupting critical patient care facilities. The fallout from potential incidents like ransomware can lead to devastating consequences, including delayed treatments, misdiagnoses, and even loss of life. Patients, already facing the physical and emotional toll of their medical conditions, now find themselves as unwitting pawns in a high-stakes game of digital warfare.

So what’s leading to these increased vulnerabilities in healthcare systems? One of the major reasons is the use of outdated operating systems and devices, many of which are no longer supported by vendors with essential security updates. For example, numerous NHS GPs in the UK continue to rely on a decade-old version of Windows OS, leaving them exposed to unpatched vulnerabilities that can be exploited by malicious actors.

Adding fuel to the fire, many healthcare institutions still depend on legacy medical devices that cannot support the latest software updates or security features. These vulnerabilities are compounded by the fact that IoMT devices often aren’t developed with proactive security in mind. Weak default passwords, lack of encryption, and an absence of two-factor authentication are just a few examples of where IoMT are failing. Such failings leave the door wide open for attackers to access healthcare networks, compromise patient data, and hinder physicians’ abilities to provide care.

Moreover, there’s a glaring deficiency in the regulatory landscape, with insufficient focus on cybersecurity. While the MHRA is responsible for conducting conformity assessments of medical devices, their primary concern is operational feasibility rather than cybersecurity exposure. This means manufacturers may not be testing devices for vulnerabilities in line with current standards.

Vulnerability disclosures are significantly increasing  

Security has continued to be a significant challenge across the Extended Internet of Things (XIoT). This umbrella term encompasses all connected devices, from consumer gadgets to industrial and medical control systems. Recent research by Claroty discovered a 6% rise in vulnerabilities affecting XIoT devices from 2021 to 2022.

More importantly, we have seen over 150 IoMT vulnerabilities disclosed in the past two years, demonstrating that medical networks are increasingly becoming an important part of vulnerability assessment practices.

All of these factors point toward the fact that there is a growing awareness of XIoT security issues. Device manufacturers, end users, and the security industry are focusing more on finding these vulnerabilities and closing them before they can be exploited.

The most positive takeaway is that vendor disclosure rates have increased unprecedentedly since 2020. For the first time in our research, the number of vendor self-disclosures of XIoT vulnerabilities has

surpassed those of third-party security companies’ research teams and independent researchers. This is a very positive indication that vendors are becoming more vigilant with their security assessment efforts, investing more effectively in cyber-physical systems security, and improving their product-security programs altogether.

If vendors continue to maintain such acute vigilance going forward, security teams will be in a much better place to address and patch healthcare vulnerabilities before they are exploited by threat actors.

Nevertheless, despite this increasing rate of disclosures, it’s important to remember that vulnerable devices are still pervasive. Physicality is the biggest issue when managing and securing these devices. Healthcare organisations can quickly lose track of their IoT assets, particularly in sensors where a very high volume of devices will be distributed across a site.

Additionally, many connected devices still have design issues that make them more prone to vulnerabilities and more challenging to manage. For example, a device might have a complex user interface, making it more likely to be misconfigured and poorly secured. In other cases, a device might need to be physically opened up for patches and maintenance – a big problem when there are hundreds of units to manage.

Even for organisations making a concerted effort to keep their XIoT estate secure, it’s very easy to miss a few devices. A single vulnerability is often all it takes to enable a breach.

Applying proactive security to healthcare  

While the number of vulnerability discoveries has increased, the threat is being taken more seriously. Governmental bodies, including the UK and EU, are working on laws to regulate XIoT security more closely, pushing for more secure designs and faster action in addressing vulnerabilities.

As the industry continues to develop, we should naturally see a greater focus on security from XIoT device vendors, particularly in high-risk areas like healthcare. Developers and manufacturers are responsible for ensuring their products can be easily managed and supplied with regular updates.

From the manufacturers, there needs to be a greater emphasis on following standard cybersecurity practices laid out by key regulatory bodies. Standards such as the IMDRF (International Medical Device Regulators Forum) guidance provides foundational security principles and best practices for ensuring the cybersecurity of medical devices throughout their total product life cycle (TPLC). Healthcare organisations should also ensure they’re only acquiring products and systems that meet these regulatory principles.

In the meantime, organisations implementing any XIoT into their operations must do their due diligence. This means taking the time to fully evaluate products and ensure they address security basics such as vulnerability patching.

For existing XIoT implementations, critical infrastructure organisations must ensure complete visibility of every device connected to their network, from the smallest vital sensor to the biggest MRI machine or Industrial Control System (ICS). Automated asset discovery tools can help to identify connections and make this task more manageable. With all devices identified, it is then crucial to implement a regular cadence for applying security updates.

Healthcare organisations should also consider implementing network hygiene measures that limit the possibility of a connected device being discovered and exploited. Among the various options available, network segmentation is highly effective and our research revealed it to be the most successful security approach in addressing critical vulnerabilities. Essentially, this involves dividing the network into virtual zones, making it challenging for attackers to penetrate the main network from a vulnerable XIoT device.

Given the ruthless nature of cybercriminals who are willing to endanger people’s lives for financial gain, the healthcare sector must prioritize the security of their XIoT estate, as connected devices often offer an easy path for attacks and a means of causing major disruption.

About the Author

Ty Greenhalgh has been dedicated to the Healthcare Information Technology and Information Management industry for over 30 years. He is an ISC2 certified Healthcare Information Security and Privacy Practitioner (HCISPP) and Cybersecurity Officer. His experience has leveraged advanced disruptive technology solutions to assist healthcare organizations in overcoming seemingly insurmountable challenges. Ty is an active member in several groups and associations; Healthcare and Public Health Sector Coordinating Counsel’s Joint Cybersecurity Workgroup, the National Initiative for Cybersecurity Education (NICE) Workforce Development Workgroup, the North Carolina Health Information and Communications Alliance (NCHICA) Biomedical Taskforce.

Company website: https://claroty.com/