Obsolete medical equipment, a major threat

For several years now, healthcare establishments have been a playground for groups of cybercriminals, particularly those disseminating ransomware. Like schools, hospitals are a target of choice with a lower level of security than in other sectors. A study conducted by Cynerio shows the particular weaknesses on IoT medical equipment. Indeed, 53% of its latest present risks in terms of cybersecurity. Cynerio manufactures IoT systems for the healthcare industry and has analyzed over 10 million medical devices.

In detail, the report noted that IV (intravenous) pumps represent 38% of a hospital’s IoT footprint and that 73% of these pumps have at least one vulnerability. It can be used by cybercriminals at best to steal data, at worst to kill it. “Healthcare systems present multiple attack surfaces from the very infrastructure of a hospital to the increased (or even complete) digitization of medical records,” said Liz Miller, analyst at Constellation Research. “The pandemic opened Pandora’s box for attackers and it quickly became a succession of attacks on networks, systems and endpoints.”

A complicated patch management

The problem of health equipment and that some are used constantly. 79% of IoT devices are used at least once a month. “Once a medical device is in use for a patient, it can be used for days or weeks,” said Daniel Brodie, CTO of Cynerio. He adds, “Many devices have 24/7 operational requirements, and an interruption, even for a patch, could have serious consequences for medical workflows, patient safety and operations. hospital. »

Another contributing factor to devices not getting timely updates is that a typical hospital network can host a mix of devices from different vendors. Patch management and versioning are becoming too complex to complete in the planned downtime, according to Daniel Brodie.

Risky Linux and outdated Windows in intensive care

Almost half (48%) of the IoT devices analyzed were running Linux. The problem is that “we are seeing an increase in the targeting of Linux terminals by ransomware groups in IoT environments”, slips the leader. “Criminals target their attacks, almost in a personalized way, based on the unique configuration of a hospital. It takes longer than a “spary and pray” type attack, but the winning potential is higher.

Another key finding of the report is that, although only a marginal number of healthcare IoT devices run on Windows, the critical care industry is globally dominated by equipment running older versions of Windows. They are generally older than Windows 10. Its environments are also found in hospital activities such as pharmacology, oncology and laboratories.

Ransomware leads IoT attacks

Of the many cyberattacks targeting the healthcare industry, ransomware has proven to be the most problematic lately. Cynerio’s report highlighted that in 2021, ransomware attacks on hospitals increased by 123% over the previous year, costing a total of $21 billion for more than 500 attacks. The average cost per ransomware attack was found to be $8 million and the average recovery time is estimated to take around 287 days.

In a typical attack, the endpoints that go down are those that track patients’ vital signs, as well as medical record systems, Brodie said. Then comes the shutdown of communication systems, including email and VoIP phones, which makes it difficult to transmit essential information. Institutions then have no choice but to switch to degraded mode with a return to paper/pencil. Especially since other systems can be affected such as scanners, radios, infusion and insulin pumps, printers and other network equipment.

The delicate balance of network segmentation

Several health IoT threats have recently been publicized such as Urgent/11 and Ripple20, but they represent only 10% of all attack vectors. According to the Cynerio report, the main flaws are the CVEs of Cisco IP phones (31%), weaknesses in http credentials (21%) and http port opening (20%)

The report recommends quarantine and network segmentation as the most effective techniques for remediating vulnerabilities, since patching is difficult for IoT devices from different vendors. He also emphasizes that a good balance of network connections must be found. For this, it favors a mix of east-west (device/device) and north-south (server/terminal) segmentation, a way to ensure security without disrupting connectivity. “Context is important, specifically in a healthcare setting, you can’t have segmentation interfering with clinical workflows or interrupting patient care. It is therefore essential to find a balance between connection and segmentation,” says Brodie. And to cite to conclude, the example of infusion pumps which could be connected only to data center servers and not to other servers or devices (in a logic of north-south segmentation) to which it would be easier to access.