Healthcare cybersecurity’s poor state has been emphasised by a recent Forescout study. The study showed the healthcare sector is using legacy software, vulnerable protocols are extensively in use, and medical devices are not properly safeguarded.
75 global healthcare deployments were reviewed for the study, which included over 1.5 million devices operating on 10,000 virtual local area networks (VLANs).
Most of those devices were running on legacy systems. While just 1% of devices implement unsupported operating systems such as Windows XP, 71% had operating systems that are quickly coming to end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.
The analysis indicated 85% of Windows devices had SMB in use. It was a flaw in SMB that to blame for the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is also typicaly used. 35% of devices did not have RDP turned off. The use of File Transfer Protocol (FTP) was also widely used.
There has been a quick deployment of a wide range of connected medical devices like infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that link the healthcare networks has greatly grown the attack surface. Those devices have introduced significant security risks which, in many cases, have not been effectively addressed.
The sheer amount of devices and different operating systems is leading to major headaches for IT security teams. The study revealed 40% of deployments used over 20 different operating systems, 41% of VLAN platforms used a range of mobile, network, and embedded infrastructure, and 34% of healthcare deployments had more than 100 vendors linking to the network. Many vendors are in charge of patching their systems and healthcare IT teams are unaware if those patches have been correctly installed.
While it is vital to ensure that all devices are secured, first IT teams must spot all devices that link to the network, which is a major challenge especially after mergers and acquisitions. There have been many instances of devices being used without the knowledge or help of the IT department.
The complex nature of healthcare networks makes security difficult to oversee and the variety of devices and operating systems makes patching a mammoth task. It is often not possible to keep on top of patching and software updates. Acute care providers cannot simply take critical care systems offline without endangering patient care, which means flaws often cannot be addressed. In some cases, medical devices cannot be patched to address known vulnerabilities and legacy apps may not work on newer operating systems. It is not unusual or vendor approval to be required before patches can be applied.
One of the solutions to enhance security and decrease the attack surface is to segment networks and ensure under threat devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be set to ensure that devices and systems can only be accessed by people who need access to complete their day to day work duties. However, this best practice is not particularly evident in the data analyzed for the research. Only a small amount of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.
Forescount said: “It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”