The world is becoming increasingly interconnected with networked enabled devices becoming pervasive with the explosive growth of the internet of things. This increased level of interconnectedness provides the potential for enhancements in convenience and utility, but at the same time it is also clear that such a level of interconnectedness comes with an increased attack surface that can be used to compromise devices.
Once compromised, devices can be used as a backdoor into your organization as well as a platform for launching attacks.
The security shortcomings around many IoT devices and their corresponding deployments are clearly illustrated by the large scale DDoS attacks recently launched by the IoT botnet Mirai, which has been attributed with some of the largest DDoS attacks in history.
Moreover, it is not just web-based services that have been the victims of such attacks. A recent Verizon Data Breach Digest demonstrates a university’s network being brought to its knees by the successful compromise of its vending machines and smart light bulbs. The scariest part of these attacks is that the mechanisms used to successfully compromise more than 100,000 devices, in the case of Mirai, were not sophisticated at all. The Mirai malware compromised these devices using a list of just 62 default login credentials.
In other words, all of these devices could have avoided compromise by the current iteration of Mirai if the default passwords were simply changed at the time of deployment.
These IoT devices are not without privacy implications as well. We have all heard of the horror stories of baby monitors and web cams being compromised to spy on people. Furthermore, when one thinks that the range of data that IoT devices collect on us can potentially include highly sensitive information such as physical activity metrics, vital signs, recorded speech, GPS coordinates and all kinds of other data that people may not want to share with the world, the privacy implications of having such poor security and such insecure deployments is staggering.
No place should this be more of a concern than in the modern hospital.
Within modern hospitals, all of the latest medical equipment is network-enabled and with good reason in many cases. Network-enabled equipment allows X-ray machines to automatically upload the image to a PACS system for a radiologist to read. It allows a telemetry monitor to automatically transmit the data it collects to the hospital’s EHR system or a system than can be used to page a nurse in the case of a life-threatening anomaly. These and other technologies all work to increase the efficiency and efficacy of care within a healthcare environment and play a role in improving patient outcomes.
Yet, due to the nature of the data these medical devices collect, transmit, and store, the privacy implications of having an insecure medical device deployment far exceed those that would be present for a typical IoT device.
This raises the question of how can hospitals and healthcare facilities work to ensure that their medical devices are deployed in a manner that will protect the privacy of their patients?
HIPAA, the HITECH Act, EU directives, and other regulations all call for the protection of patient privacy but provide little in the way of guidance as to what constitutes good security and privacy practices with regards to the deployment of network-enabled medical devices. Guidance that is sorely needed given recent findings of medical devices being found susceptible to hacking in ways that can not only impact patient privacy, but patient safety as well.
For example, in 2015 the FDA issued guidance on vulnerabilities in Hospira infusion pumps that could allow an attacker to change the dosing of drugs being administered to a patient. More recently the FDA issued guidance concerning vulnerabilities in the Merlin@home transmitter: an internet-connected device that can be used to control implanted pacemakers.
These issues become even more concerning as malware and other breach vectors that target medical devices are no longer theoretical. The Medjack family of malware is designed with the compromise of medical devices in mind. Meddjack is designed to allow attackers to establish backdoor access into healthcare networks via these compromised devices and use the compromised devices as staging grounds for attacks on EHR and radiology systems with the intent of exfiltrating patient data.
All of these recent findings and events demonstrate the clear cut need for medical devices to be manufactured with security and privacy in mind and that they need to be deployed in a secure manner.
While initiatives like privacy-by-design principles, the Hippocratic Oath for Connected Medical Devices, and other IoT security standards call attention to the need for security in the design and manufacturing process, little attention has been given towards codifying the best practices for securely deploying medical devices.
Fortunately this is starting to change, and a recent initiative of the Open Web Application Security Project has begun establishing a standard for the secure deployment of network enabled medical devices. The recent release of the version 1.0 standard describes 32 controls that can be used to improve the security of medical device deployments. These controls are designed to reduce the risk of initial compromise as well as mitigate the damage that a successful compromise could actually do. Moreover, the standard includes classes of controls that are designed to aid in the detection of potential incidents as well as controls that can aid in ensuring a quick recovery in the event an incident does occur.
As hospitals continue down the pathways of increasing digitization and interconnectedness, they need to remember that information security and privacy now extends to more than just the PCs and laptops on their desks or the servers in the data center and take the time to consider that modern medical devices are essentially computers at their core and need to be treated as such. A comprehensive healthcare security and privacy strategy will give consideration to this fact and include provisions for ensuring that medical devices are deployed with security and privacy in mind.
If you want to comment on this post, you need to login.