Software Vulnerabilities Point to Need for ICS Security in Healthcare

April 06, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an industrial control system (ICS) medical advisory regarding the LifePoint Informatics patient portal. If exploited, the vulnerability could lead to protected health information (PHI) exposure.

“Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting,” the advisory explained.

The vulnerability impacts LifePoint Informatics’ patient portal version LPI 3.5.12.P30. However, LifePoint Informatics released and deployed an updated version of its patient portal in February 2022, which effectively mitigated this vulnerability. Since the patient portal is a hosted application, users do not need to take action.

Although this specific vulnerability was deemed low-risk, CISA’s advisory urged users to take defensive measures to reduce the risk of exploitation. Specifically, CISA recommended that users minimize network exposure for all control system devices, isolate control system networks and remote devices from the business network, and utilize VPNs.

The agency also directed organizations toward its ICS security best practices and resources. But securing industrial control systems can be more challenging than securing IT environments.

“Industrial control systems are used for managing, directing, and regulating the behavior of automated industrial processes. ICS is a term that encompasses several types of control systems, but all these systems have some basic traits in common,” Stephen Mathezer wrote in a SANS Institute blog post.

“Their job is to produce a desired outcome, typically maintaining a target state or performing a certain task in an industrial environment. They carry out this function using sensors to gather real-world information. They then compare this data with desired set points, and compute and execute command functions to control processes through final control elements, such as control valves, to maintain desired states or complete tasks.”

ICS security is crucial to maintaining operations and mitigating overall enterprise risk.

“In each of these critical infrastructure sectors, different industrial control systems are continuously at work regulating flow rates, opening and closing breakers, monitoring temperature levels, and performing many other functions,” Mathezer continued.

A recent report by Claroty found that healthcare IoT, IT, and medical device vulnerability disclosures have increased in recent years, signaling a need for better ICS security. Researchers found that ICS vulnerability disclosures grew by 110 percent over the last four years, with a 25 percent increase in the latter half of 2021 alone.

“While the volume of headline-grabbing attacks dwindled in the second half of 2021 compared to the first six months, those incidents will only fuel the eventual prioritization of XIoT cybersecurity among decision makers,” the report predicted.

“This indicates that organizations will merge OT, IT, and IoT under converged security management, and that OT and ICS will no longer be their own walled-off disciplines. Therefore, asset owners and operators must have a thorough snapshot of their environments in order to manage vulnerabilities and lessen their exposure.”

CISA’s advisory recommended that organizations adopt defense in depth strategies to improve ICS security.

Defense in depth strategies can ensure that if one technical, administrative, or physical safeguard fails to detect an intrusion, other tools will be at the ready. Organizations should implement proper access controls, VPNs, endpoint security systems, and other safeguards to layer defenses properly.

“CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” the advisory emphasized.

CISA also urged organizations to protect themselves from social engineering attacks by learning about the signs of phishing attacks.

As security threats continue to impact the healthcare sector, organizations must remain vigilant and implement a holistic security program to mitigate risk.