- The weakest link of a healthcare IT network is IoT devices, cloud, and mobile, including ultrasound machines, due to legacy operating systems and open source systems, according to a new report from Check Point Research.
The researchers found that in many scenarios these devices are easy to hack into, putting the massive storage of patient data at risk. Specifically, the researchers noted three major vulnerability issues with IoT devices.
First, the devices are often built on open source operating systems, which also means they’re not always designed with security in mind. And in some cases, security is overlooked entirely, the researchers explained. Adding to the issue is the increased amount of data collection and storage of these devices, which makes them a prime target for hacking.
Lastly, the researchers noted that often IoT devices can serve as an entry point for cybercriminals, who then leverage the access to move laterally across the network to gain access to more data.
“Alternatively, the device could be attacked directly and shut down with a highly disruptive effective,” the researchers wrote.
For example, Check Point researchers discovered an ultrasound machine that operated on the Windows 2000 platform and no longer received patches from Microsoft, which left the machine vulnerable to attack.
The researchers were able to infiltrate the ultrasound device by leveraging the security gap, which would let hackers download stored data, edit and replace the data, and also infect it with ransomware.
In a real scenario, the researchers said it would allow a hacker to hold the medical device for ransom. Check Point’s findings highlight issues addressed in an earlier MedCrypt report that found 100 to 1,000 patients had adverse events from a compromised healthcare infrastructure.
As the global WannaCry cyberattack in 2017 was able to proliferate due to patching failures, Check Point’s research also confirms the risk of legacy systems to patient data. WannaCry impacted more than a third of the UK National Health Service trusts, forcing the cancelation of about 7,000 appointments.
“Indeed, due to the vast amounts of personal information they hold and increasingly transfer electronically, healthcare organizations have become major targets for cybercriminals looking to not only cause mass disruption, but also to gain financially,” the researchers wrote.
“After all, this valuable data can be used to obtain expensive medical services, devices, and prescription medications, as well as fraudulently acquire government health benefits,” they added.
Patching is a simple way to shore up some of these security gaps. However, the researchers noted that many of the devices’ operating systems no longer receive security updates. The other issue is that many organizations don’t patch due to the required downtime needed to accomplish the task.
“From a regulatory point of view, the inherent vulnerabilities that come with operating healthcare devices, such as a lack of encryption of sensitive data as well as hard-coded or default login credentials, prevent IT professionals from even implementing security patches, should such patches even exist,” the researchers explained.
When patching isn’t possible, the researchers said that network segmentation, applied to the healthcare organization’s network, as well as their staff, could help the IT team to detect and respond to unauthorized accessed.
“Healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach,” the researchers wrote. “Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions, while providing another layer of security to network and data protection, without compromising performance or reliability.”