The following is a guest article by Ryan Witt, Healthcare Cybersecurity Leader at Proofpoint
The Internet of Medical Things, or IoMT, is a deep web of interconnected devices that increasingly plays a vital role in care delivery. Unfortunately, these devices have also significantly enhanced healthcare’s cyber risk, and security researchers have raised alarms about the vulnerabilities of these devices for more than a decade. While we haven’t seen threat actors widely exploiting the vulnerabilities in the wild, it is only a matter of time—and the results of an event like an IoMT ransomware attack will be devastating to patients’ safety and wellbeing.
The U.S. Food and Drug Administration (FDA) has recognized the problem and issued multiple guidance documents over the years—as recently as this March—to ensure the cybersecurity of medical devices. Although none of the FDA recommendations are legally enforceable, device manufacturers no longer have a choice but to comply. The recently enacted Consolidated Appropriations Act, which includes a section on medical device security, provides the teeth the FDA’s guidance lacks—new devices that don’t meet security requirements will soon be banned from the market.
Healthcare organizations, however, should not wait until these government mandates come into play. There are millions of vulnerable medical devices presently in operation. Given the cost of replacing them, organizations are unlikely to act without a carrot or a stick.
More than 20% of healthcare organizations that suffer a cyber attack see higher mortality rates, and the majority of healthcare organizations experienced an average of 43 attacks in the past 12 months—nearly one a week—according to a September 2022 report by Proofpoint and Ponemon Institute. Further, insecure medical devices were the top cybersecurity concern identified by healthcare IT security practitioners. This data clearly shows that the sector needs to start making IoMT cybersecurity a priority now to prevent human harm—not wait for the government to take the lead.
How Threat Actors Can Leverage IoMT
ECRI, an independent nonprofit recognized as an authority on healthcare technology and safety, ranked cyber attacks as the top health technology hazard in 2022. As ECRI noted, a cybersecurity incident could threaten medical devices “that have become essential for safe and effective care delivery” and can “disrupt patient care, posing a real threat of physical harm.”
One of the biggest challenges for medical devices is that they run on outdated software—some dating as far back as Microsoft Windows 95—that is difficult or even impossible to patch or secure with third-party controls. Researchers have found that a medical device has an average of six vulnerabilities, and 53% of connected medical devices have known critical vulnerabilities, according to a Federal Bureau of Investigations (FBI) September 2022 bulletin. Each of these vulnerabilities offers bad actors an entry point for an attack. And since the life cycle of these devices is as long as 30 years, they expose an organization for a very long time.
Take, as an example, insulin pumps that connect wirelessly to a phone so insulin delivery to a patient can be modulated remotely. A July 2019 FDA warning stated that an unauthorized party “could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings” harming the patient by either overdelivering or underdelivering insulin. These types of vulnerable clinical systems also add another pathway for launching a ransomware attack on a hospital.
It is not hard to imagine the magnitude of impact if malicious actors obtain control over medical systems and remove them from operation at a hospital with hundreds of beds. It is true that today, the adversary is much more likely to start with a phishing attack—and many healthcare organizations are doing a good job protecting themselves from phishing. However, the fact that attacks on medical devices are not today’s problem does not mean that healthcare organizations should ignore the real possibility. As we all know well, threat actors continually pivot—and when organizations bolster their defenses in one area, attackers find new methodologies for exploiting untapped opportunities.
Thinking of Machines as Identities
The National Institute of Standards and Technology (NIST) recommends using a defense-in-depth approach to protect wireless infusion pump ecosystems against attacks that could allow malicious actors to change the pump’s function, alter medication doses, or steal sensitive information. The same strategy should be considered for any other medical devices that connect to the organization’s networks, IT systems, and other technology.
Unfortunately, most solutions on the market offer limited capabilities for IoMT defense-in-depth security. Vendors commonly offer you the ability to discover and inventory devices connected to your network, as well as to implement micro segmentation to prevent lateral movement within your environment. While it is prudent to understand your landscape and risk profile, as well as protect the network once intruders compromise a medical device, these solutions do not solve the problem—you will still lose control of the device and put patients at risk.
One highly effective tactic that is part of IoMT defense-in-depth is the deployment of fake devices that are intended to appear real to attackers who are looking for vulnerabilities while navigating your network. Much like a honeypot, this emulation mimics both the device and its network communication patterns that are provided by the manufacturer. Think of these simulated devices like a minefield—all the attacker needs to do is trip one fictitious device and an alarm is triggered. Every triggered alert is a definite indication of an attacker and you can immediately act upon it to remove the threat from your network.
Since it may not be feasible to emulate every single type of medical device, you could prioritize the riskiest ones using the techniques of identity-centric security. Just like some roles within your organization are more valuable to attackers, so are medical devices if the malicious actors’ goal is to wreak havoc and cause harm.
Many organizations have a three-prong approach to protecting sensitive data: monitoring user behavior, looking at content accessed by users, and applying additional controls to the most highly targeted users—for example, those with privileged access. You can extend the same principles to IoMT by treating machines as identities, especially when the machines are already part of Active Directory.
Viewing medical devices as identities helps you understand what attackers are trying to do within your IoMT ecosystem and what they are trying to access and compromise. Once you have this telemetry, deploying emulations to the highly targeted, high-risk devices will make it much more difficult for attackers to get to the devices that are most attractive to them.
Prepare for the Future Now
IoMT adoption continues to grow rapidly. Forecasts estimate the market to expand at a compound annual growth rate of 23% between 2023 and 2028. For threat actors, this means a vast opportunity ripe for exploitation. Couple this trend with the ubiquity of ransomware attacks—which have proven very lucrative for cybercriminals—and it becomes clear that attacks on medical devices could soon move from Hollywood lore to reality.
Considering that change is painstakingly slow when it comes to medical device security, healthcare organizations simply cannot wait on the sidelines until that threat hits closer to home. The stakes are simply too high.
About Ryan Witt
Ryan Witt is a healthcare cybersecurity leader at the cybersecurity company Proofpoint. He has 15+ years of experience advising healthcare institutions on the value of robust data protection to enable success in the new health economy. He is a recognized healthcare cybersecurity speaker, moderator, panelist and blogger who works extensively with HIMSS, CHIME, AEHIS, WEDI, and IDC.
