Complexity, the enduring enemy of medical cybersecurity

Contributed by: Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks, and member of the International Society of Automation Global Cybersecurity Alliance (ISAGCA).

The U.S. Food and Drug Administration tells consumers, “Anytime a medical device has software and relies on a wireless or wired connection, it’s critical to pay close attention for any problems. The software behind these products, like all technologies, can become vulnerable to cyber threats, especially if the device is older and was not built with cybersecurity in mind.” At scale, these devices introduce extended remote access capabilities for both legitimate and illegitimate purposes.

The Federal Bureau of Investigation in a September 2022 report on “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities” suggests a tapestry of endpoint protection, data encryption, stronger password and asset management, and monitoring software are required to prevent healthcare industry attacks. Focusing only on medical devices introduces a cycle of vulnerability disclosure, patching and costly replacement without layered defenses considering the rest of hospital operations.

While both the U.S. FDA and FBI give guidance on assessing the security of systems, some hospital personnel responsible for security, hyper-focus on securing cherry-picked assets and devices. Instead, they should be taking a holistic approach to cybersecurity that have begun to operate as digitally interdependent pseudo-cities. Given this reality, hospital cybersecurity is not achievable with a single layer of protection focused on any number of devices. It requires a multi-layered approach built with appropriate appliances, software, and protocol support.

What’s at risk
Cybersecurity for operations and facilities is arguably most important in the hospital setting where critical populations gather, and the safe movement of resources, equipment and personnel is essential. Major companies and providers struggle to manage massive campuses – some the equivalent of small cities – serving millions of patients each year and employing tens of thousands of people.

Legacy technologies in healthcare are ubiquitous, expensive to replace, and susceptible to exploitation from well-known cyber-attack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many run outdated software such as Windows XP and Windows 7, and have limited mechanisms for applying critical patches and updates. Resources limit the ability to track, secure and continuously fortify each component of legacy medical technology in use today.

Research by Palo Alto Networks Unit 42 Threat Research found that medical devices are the weakest link on the hospital network as they bear critical vulnerabilities:

• 75% of infusion pumps studied had at least one vulnerability or threw up at least one security alert.
• Imaging devices, such as X-Ray, MRI and CT scanners were particularly vulnerable, with 51% of all X-Ray machines exposed to high-severity Common Vulnerabilities and Exposures (CVE-2019-11687).
• 44% of CT scanners and 31% of MRI machines were exposed to a high-severity CVE.
• 20% of common imaging devices were running an unsupported version of Windows.

According to the FBI report above, in addition to outdated software, many medical devices also exhibit the following common weaknesses:

1. Devices used with the manufacturer’s default configuration are often easily exploitable by cyber threat actors.
2. Devices with customized software, require special upgrading and patching procedures, delaying the implementation of vulnerability patching.
3. Devices not initially designed with security in mind, due to a presumption of not being exposed to security threats.

Smart, connected medical devices often capable of internet connection, have additional risks associated with unauthorized access – hijacking login interfaces to bypass password authentication, distributed denial of service (DDoS) attacks, and limited protections for sensitive patient information known as “personal identifiable information.”

To obfuscate the payload, many IoT botnets use naming conventions for their payloads that are common processes, such as “ntpd” (the network time protocol daemon), in combination with using packers and cryptors to thwart deep packet inspection engines. Once the system is infected, it immediately changes the default credentials before setting out on its intended objective to infect other machines. These IoT botnets can grow to have hundreds of thousands of controlled devices under their helm and their primary focus is to perform DDoS attacks against larger organizations. 

These systems and variations tend to remain unpatched long after a patch has been released due to the fact that most internet-connected devices are headless and controlled without graphical user interfaces. Content is passed to devices through web servers with little end-user interaction, and they are not set up for automated updates without the user agreeing to a risk-based statement within the end-user license agreements.

A way forward
A hyper-focus on assets and systems typically leads security teams to assess risks based on means, overlooking considerations for widespread and cascading impacts or extended downtime from a cyber incident. As the latest MITRE playbook for medical device security emphasizes, preparing for scenarios that incorporate this level of awareness and impact analysis requires a diverse set of stakeholders for planning, “response exercises, including clinicians, healthcare technology management professionals, IT, emergency response, risk management and facilities staff.” MITRE’s Medical Device Cybersecurity Companion Guide is a great place for medical security professionals to begin.

Monitoring and visibility are key today to reduce the dwell time for threat actors and the level of damage they can do in medical and healthcare systems, networks and environments. It is also necessary for root cause analysis to determine whether an issue is caused by a cyber threat actor, equipment malfunction, misconfiguration or a ransomware situation.

It is more important than ever, given recent survey responses indicating that medical device manufacturers themselves say a top security challenge is, “managing a growing set of tools and technologies, partly explained by the lack of high-level ownership.” Using ISA/IEC 62443 standards to implement a holistic cybersecurity strategy across the manufacturing process can help eliminate issues on the front end, but can also be applied to a medical or healthcare system on the backend. A trusted and responsible cybersecurity leader has four steps to consider for building a mature security program.

1. Network status
Network diagrams offer a high-level map of static configurations, but lack the ability to continually monitor traffic and timestamp network or data changes. If network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not – these assets cannot be protected without the necessary visibility into their day-to-day functionality. It’s often parroted that you cannot protect what you cannot see, but you also cannot investigate any mishap or accident to understand the root cause of a cyber incident without a dynamic, real-time status map of the inventory of machines and computers communicating in your environment.

3. Threat actor capabilities
For many medical devices, the primary attack surface is their default credentials over SSH. Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack. As an initial attack vector, IoT DDoS and botnet attacks can sometimes allow a threat actor to find and gain the access necessary to achieve escalated privileges to cause widespread outages and impacts to hospital operations.

4. Data rich, information poor
Simply having and storing reems of data is not particularly useful for any risk mitigation. Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Anomaly detection can alert on both deviations from normal communications patterns, as well as variables within the process – like sensor readings and flow parameters. This process data can be correlated with communications data to provide actionable intelligence to inform security procedures and reduce overall risk.

To learn more about ISA/IEC 62443, visit the ISA Global Cybersecurity Alliance website.