Report: Healthcare IoT, Devices Most Impacted by TCP/IP Vulnerabilities

May 06, 2021 - At least 75 percent of healthcare entities are impacted by a host of TCP/IP vulnerabilities, uncovered by Forescout Research Labs within the last year. NUMBER:JACK, NAME:WRECK, and AMNESIA:33 are found in millions of healthcare IoT and other IT devices, posing a serious risk of remote code excution and hacking.

In fact, healthcare organizations are nearly five times more affected by TCP/IP vulnerabilities than any other sector with a total of 79 vulnerable types of devices and 259 vulnerable vendors.

Forescout’s Project Memoria is focused on assessing security vulnerabilities and associated threats against IT, OT, IoT, and IoMT devices, along with providing support for entities to address these risks.

Disclosed in December 2020, AMNESIA:33 is a set of 33 security flaws found in four open source TCP/IP stacks -- foundational elements of millions of devices. These highly modular vulnerabilities were found in devices of more than 150 vendors and used in deeply embedded subsystems.

A successful exploit could lead to remote code execution, enabling an attacker to take complete control of a device.

READ MORE: CISA Warns More Critical Flaws Found in Open Source TCP/IP Stacks

For NUMBER:JACK, a successful exploit of any of the nine Initial Sequence Number (ISN) generation vulnerabilities could allow a hacker to bypass authentication, hijack or spoof TCP connections, launch denial-of-service conditions, or inject malicious data.

The latest disclosure, NAME:WRECK, is a group of nine flaws found in four popular TCP/IP stacks and used in over 100 million enterprise, consumer, and industrial IoT devices. The vulnerabilities impact the Domain Name System (DNS), the decentralized protocol that enables a requesting device to resolve desired domain names to specific IP addresses.

More than 180,000 devices in the US employ the vulnerable tech, posing a critical risk of hacking or remote code execution attacks.

In combination with Ripple20, a group of 19 vulnerabilities found in the TCP/IP communication stack of hundreds of millions of IoT and connected devices by JSOF, these foundational technologies are increasing the risk of exposure across all sectors.

For its recent healthcare-focused report, researchers analyzed data from the Forescout Device Cloud, an anonymized information from about 13 million devices used by more than 1,800 global clients, combined with the vulnerabilities found during the Project Memoria research.

READ MORE: 33 TCP/IP Stack Flaws Pose Hacking Risk to Millions of IT, IoT Devices

Although the vulnerabilities are found in devices across a range of sectors, the researchers discovered that healthcare is at a greater risk than other industries for a number of reasons: network complexity, range of devices used by healthcare delivery organizations, and the breadth and type of manufacturers.

"In networks with high device diversity, security operators must spend a considerable amount of time to identify and patch vulnerable devices," researchers explained.

"This is because the tools able to identify IT devices might differ from those able to identify medical or IoT devices, and because with different device types come different vendors and, hence, patches available with different timelines and applicable with different procedures," they added.

Hospitals and healthcare environments also have a host of devices that are always on or in use, which increases the risk of exposure.

The sector also has the highest number of vulnerable devices, with nearly 200 per organization, and its vulnerable devices are the most diverse, with about eight types of devices per entity, Forescout's Vice President of Research, Elisa Costante, told HealthITSecurity.com.

READ MORE: CISA Urges Patch of Windows Remote Code Execution TCP/IP Flaw, DoS Risk

Healthcare also has the highest diversity of vulnerable vendors, with at least 12 on each network, she added.

The most common device types in healthcare are printers, VoIP, infusion pumps, networking equipment, and building automation devices. For medical devices, infusion pumps, patient monitors, and point-of-care diagnostic systems are the most vulnerable.

As these flaws and other vulnerable devices often share the same network segment within the enterprise, healthcare entities are at an increased likelihood and impact of cyberattacks.

“The combination of new vulnerable devices, difficult-to-patch vulnerabilities, and lack of segmentation exposes healthcare networks to new threat scenarios that can have a big business impact,” explained Costante. 

These new threat scenarios include an increased exposure to attacks, longer downtime from impacted devices, and even denial of healthcare delivery.

For example, a ransomware attack stemming from the exploit of a device vulnerability can lead to a number of challenging downtime scenarios, as each device would be impacted in completely different ways.

And while an overall cyberattack can cause reputational damage, an exploit of a device vulnerability could lead to the inability to provide patient care or seriously impact patient safety.

Forescout issued the report to highlight the risk to healthcare entities and to urge providers to take immediate action to address these threats.

Costante stressed that to protect against the arising threats posed by TCP/IP flaws, healthcare entities must increase visibility into their networks to find and remediate possible device vulnerabilities and apply available patches, wherever it’s possible.

Administrators also need to implement measures to support proper network segmentation, which will shield unpatchable, vulnerable devices. Namely, only traffic from or two allowed devices should be permitted.

“To deal with possible exploitation of  TCP/IP vulnerability, it is paramount for healthcare organizations, as well as any other organizations, to have a response plan that can be kicked off as soon as an intrusion is suspected or confirmed,” Costante explained.

“Such a response plan should include tools and mechanisms aimed at detecting (identifying indicators of compromise, affected assets, have logs of what happened), responding (isolating affected devices, block connections from/to malicious IPs), and recovering from the exploitation,” she concluded.