Reports Finds IoT Devices Host Social Media Apps, FDA-Recalled Platforms

July 23, 2020 - An analysis of over 5 million IoT, IoMT, and unmanaged devices found a host of security risks, including those in the healthcare sector, from Facebook and YouTube applications running on MRI and CT machines, to a trove of medical devices operating on legacy platforms or systems recalled by the Food and Drug Administration. 

The research should serve as a red flag to healthcare organizations, given recent alerts to several critical system vulnerabilities and reports of serious flaws found in a range of healthcare organizations tasked with the COVID-19 response. 

“There is no more dramatic example of the importance of the Internet of Things than in the midst of the COVID-19 pandemic,” Ordr researchers wrote. 

“Within healthcare organizations, a surge of IP-enabled medical devices such as ventilators, infusion pumps, and EKG machines are playing a critical role in patient care—saving lives, collecting medical diagnostics data, facilitating medical functions,” they added. 

Ordr researchers analyzed anonymized data from its customer deployments of IoT, IoMT, and unmanaged devices across a range of sectors, including healthcare, life sciences, manufacturing, and retail, between June 2019 and June 2020. 

READ MORE: Impact of Ripple20 Vulnerabilities on Healthcare IoT, Connected Devices

Researchers found a host of disturbing trends in the healthcare sector, including devices like HVAC controllers and elevator controls enabling the patient care ecosystem. 

Notably, some MRI and CT machines were discovered running social media platforms. And another 15 to 19 percent of medical devices operate on unsupported Microsoft Windows platforms like Windows 7 or older versions.

Allowing users to surf the internet through these devices poses a serious risk to the enterprise. These devices are vulnerable to cyberattacks, especially ransomware, with hackers actively targeting legacy platforms and known vulnerabilities to gain a foothold onto the network. 

Further, 86 percent of healthcare deployments have more than 10 FDA recalls on their medical IoT devices. FDA uses the term recall when a manufacturer has taken corrective action to address a medical device issue that violates FDA regulations, or is misbranded or adulterated. 

In short, an FDA-recalled device is defective and could pose a risk to patient safety, to the enterprise, or both. For example, Abbott recalled 465,000 pacemakers once it was discovered they could be hacked. 

READ MORE: Most At-Risk Medical Devices: PACS, HL7 Gateway, Radiotherapy Systems

Ordr researchers stressed these devices must be taken out of service or appropriately segmented from the enterprise network, if they cannot be patched, “to ensure they are not at risk from attackers exploiting Windows vulnerabilities.” 

Notably, 95 percent of healthcare deployments were found to havepersonal Alexa and Echo devices connected to the network, as well as other hospital surveillance equipment. 

“This violates privacy requirements with the risks of attackers eavesdropping and recording conversations,” researchers wrote. “Because of vulnerabilities that allow these devices to eavesdrop and record conversations, these smart speakers are not allowed in a healthcare environment.” 

Researchers also identified 75 percent of deployments with VLAN violations, including one deployment with multiple USB card readers connected to workstations on the same VLAN or subnet as a tablet, copier, printer, or physical security device. 

More specific to healthcare, the report found medical device deployments connected to the same VLAN as other nonmedical IoT devices. These mission critical devices need to be moved to specialized VLANs to reduce the risk of compromise. 

READ MORE: The Key to Improving Medical Device Security is Collaboration, Visibility

Ordr also identified some unique, but highly risky, connections in the hospital setting. In one instance, a Tesla was connected to a hospital network, where a doctor connected to the network from his care in the parking garage.  

Another vulnerable situation included a facilities team connecting the hospital elevators to the network. One other healthcare organization found a Peloton device on the network being used for physical therapy, but “had likely violated HIPAA regulations because of patient data recorded on these devices.” Pelotons are workout bikes that stream on-demand and live workouts. 

Meanwhile, 0 to 15 percent of devices are either unknown or unauthorized. Researchers also found devices being used by hackers for bitcoin mining or showing unusual communication patterns to hostile countries, including Russia, Iran, and North Korea. 

Ordr also detected a proliferation “undocumented, previously unknown firewalls making outbound VPN connections presumably for remote support of various medical systems.” 

“I’ve found that more than 51 percent of IT teams are unaware of what types of devices are touching their network,” said Zeus Kerravala, ZK Research, in a statement. “Perhaps what is more disconcerting is that the other 49 percent often find themselves guessing or using a ‘Frankenstein’d’ solution to provide visibility into their network security, which will almost always create security issues.”  

“To truly realize the potential of IoT, security is paramount,” Ordr CEO Greg Murphy, said in a statement. “As more IoT devices are deployed, security and risk decision makers need to not only gain visibility into what is connecting to their network, but also understand how it is behaving.” 

While awareness around medical device security has drastically improved in the healthcare sector, a lack of resources, collaboration, and an understanding of how devices communicate and connect to each other have hampered efforts to shore up these critical risks. 

Healthcare organizations should review insights from the FDA, Healthcare and Public Health Sector Coordinating Council, and Medical Imaging & Technology Alliance to gain insights into the risk management processes needed to address device-related concerns.