In 2017, the healthcare industry experienced a dramatic surge in cyberattacks. Thousands of healthcare organizations around the world suffered various attacks — from data theft to ransomware attacks. Among them was the notorious WannaCry ransomware attack, which affected over 300,000 machines across 150,000 countries, including the United States. As many as 200,000 Windows systems were impacted by WannaCry, including nearly 50 healthcare facilities in the UK, and dozens more in the United States. The infections from WannaCry impacted medical devices as well, putting hospital staff — and patient safety — at risk.
Despite suffering from the biggest ransomware attack in recent memory, organizations remain unprepared for the next round of large-scale attacks. Outdated software (and hardware) contributed to the spread of WannaCry. And any company with outdated technology can expect similar results when the next WannaCry hits.
In today's fifth-generation level of cyberattacks, an urgency to protect vulnerabilities, inherent to any organization, is paramount and should be the driving force of all healthcare organizations’ cybersecurity strategy — especially now as more medical devices are connected and, thus, vulnerable to potential hacks. (In some cases, last year, many cyberattacks involved remote takeover of medical devices, disrupting medical care, potentially creating additional medical errors and increasing needs for more resources.)
In 2016, according to one report, healthcare was the fifth-most-attacked industry. 1 Last year, healthcare moved up to second-most attacked industry. And with the growing use of IoT devices, healthcare will continue to be an attractive target for attacks. See the sidebar, “Stats from Check Point's Study” for more insights into the extent of the problem.
Stats from Check Point's Study:
Only 3 percent of businesses surveyed have indicated that they are equipped to defend against fifth-generation cyber-attacks (the highest level of cyberattacks, which are considered large scale and state sponsored multivector, mega attacks.
Security professionals still do not feel prepared enough, rating their organizations as only moderately prepared for cyberattacks (3.56 on a 1–5 readiness scale). In other words, companies are only equipped to deal with a third-generation attack.
41 percent of organizations faced at least one cyberattack during 2017, with an average of 56 attacks per organization per year.
The primary barriers IT and security professionals declare as standing between their organization and high-level cybersecurity effectiveness are: Staffing challenges (mentioned by 70 percent of IT and Security professionals), security conflict with business or user experience (56 percent), and outdated security infrastructure (50 percent). In staffing issues, security professionals are referring to low numbers of cybersecurity staff as well as lack of staff knowledge needed to fight 2018 cyber crime. When it comes to outdated security, security professionals are mentioning outdated security architecture as well as controls.
Understanding the Environment
Before going through what medical designers should keep in mind when producing new devices, it's important to understand what makes the healthcare environment so prone to attacks:
Regulation: HIPAA and GDPR regulations do not mandate medical device manufacturers to include cybersecurity capabilities as part of their offering.
Lack of software updates: Due to regulations, every software update aimed at a medical device must go through FDA or other regulatory approvals to make sure no potential harm can be inflicted on the patient. This leads to insufficient updates, especially when a medical device has been compromised by an attack.
Old/unpatched operating systems: Most medical devices carry old operating systems such as Windows XP or NT, which are subject to cyberattacks. This makes medical devices subject to older attacks, which are no longer considered as a threat for an up-to-date OS. Additionally, due to the incapability of updating medical devices without going through recertification, even newly introduced devices with a new OS will soon suffer from the same problem.
Required uptime: Once integrated into a hospital, medical devices are fully utilized to meet patient care requirements. As a result, even if a software patch that may prevent a potential cyberattack is available, it usually taking weeks — sometimes even months — before the software patch is actually being implemented in the field.
Flat networks: Due to the lack of cyber-security resources, flat networks can be found more commonly in the healthcare environment in which guests, patients, doctors, building, and connected medical devices all share the same network. This situation, of course, substantially extends the attack surface and allows lateral attacks between one part of the network to the other.
Access to resources: A healthcare environment, in general, and a hospital, in particular, is an open environment, in which patients, guests, and healthcare personnel do all have access to the various resources within the hospital. This can lead to various cases in which each of the above actors can accidently infect the hospital network by connecting an infected host to the hospital network, or any other device, such as a TV, within the hospital.
Lack of cybersecurity resources: Despite being among the top attacked industries today, healthcare organizations, based on a recent Forrester survey, have a lower-than-average cybersecurity budget.
Prevention Is Key
As IoT systems become more widespread, cyber criminals will continue to find creative ways to gain the upper hand on their victims. Although the current situation is unsettling, there are preventive measures that designers can take when creating new devices. Below are some things to think about that can go a long way to ensuring better protection and prevention of potentially devastation cyberattacks:
Have visibility: Medical device designers (particularly those with IoT components) should have a full view of the various parts of its system, including the various IT-related systems.
Consider segmentation: Have the capability to segment various parts of that network, in order contain malware attacks and mitigate the potential risk of one part of the network attacking other parts.
Integrate threat prevention solutions: Threat prevention can be executed through implementing cybersecurity best practices such as:
Blocking known attacks with the usage of IPS tools.
Blocking unknown and zero-day attacks with threat emulation tools.
Blocking existing infections through anti-bot tools.
Having granular protocol understanding such as DICOM and HL7, which are directly related to healthcare, and Modbus and KNX, which are directly related to building the management systems that are part of the general healthcare environment.
Of course, more must be done in order to secure the future of healthcare. But these first steps are key in developing more secure medical devices moving forward. Add an infrastructure with the necessary technology, and the future of healthcare will be prepared for the next major attack.
This article was written by Yariv Fishman, Head of Product Management, Cloud Security & IoT, Check Point, San Carlos, CA. For more information, Click Here.