By now, everyone has probably heard about the Mirai botnet, which launched a Distributed Denial of Service (DDOS) attack against Dyn (an Internet performance company). During this attack, large portions of the Internet were affected, and a number of major company sites were brought down, including Twitter, Amazon, and Netflix. What has generated the most attention was not merely the volume of infected endpoints, but more so the types of endpoints leveraged in the attack: IoT devices. Simple smart home devices, lacking security and/or configured with default credentials.
What does this attack have to do with healthcare smart rooms? Think it’s a stretch? Let’s take a look at this theory.
Healthcare smart rooms are the latest trend throughout major health systems. This trend is a result of a movement that aims to improve the safety, quality, and efficiency of care provided to patients. In the age of quality measures and improved outcomes, it’s an expected path for providers.
Hospital smart room technology includes common hardware such as: patient screen, caregiver screen, and smartboard. These devices allow for much visual information for patients and caregivers and streamlines the entire care process. In addition, smart rooms are filled with a plethora of WiFi and Bluetooth enabled devices such as blood pressure cuffs, thermometers, and infusion pumps. There’s no question of the efficiency these devices bring, at the very least, eliminating input errors by humans typing incorrect values and information.
Unfortunately, although everyone agrees on the need for appropriate security measures, by and large, device manufacturers have still to find enough incentive for adding basic security capabilities to most of the medical devices that are manufactured. This year alone, countless reports have been published related to medical device vulnerabilities from supply cabinets, with more than 14,000 incidents of infusion and insulin pumps being hacked.
Of course there are varying degrees of program maturity across the healthcare sector, but it’s fair to say the sector has been in big trouble for the past several years. Last year was huge with traditional security breaches and data exfiltration reported at many health related organizations. This year, many providers have been hit with ransomware, rendering the organization helpless and having to payout to recover their data. Currently, despite IT security program expenditures being the highest ever, we’re barely keeping up. Any reasonable person would say it’s pure insanity to add more risk to this already fragile ecosystem.
Part of the issue with securing our networks stems from poorly designed and archaic network architectures. Once in place, they are extremely difficult — sometimes impossible — to rip and replace. Only in instances of new physical development or buildings will a network architecture usually be overhauled. We are then left with a generally flat, poorly designed, and poorly secured network that is increasingly plagued with new devices that are inherently a greater security risk than the existing assets. Ironically, folks feel great about the new integration as it presents a notion of innovation at work, when all you’ve done is further hurt a fragile security posture.
What should you do — stay away from the technology till there’s a security solution?
There’s never a simple answer, but a few proactive measures include:
- Scan the technology with a vulnerability scanner or perform penetration testing against the asset to understand inherent risks (remediate whenever possible)
- Make sure to leverage any configuration options that allow for hardening
- Remove all defaults, passwords, ports, etc.
- Isolate these devices from traditional assets
- Harden your architecture with intrusion detection and firewalls
- Leverage behavioral analytics to baseline expected from anomalous activity
- Implement technology enabling lateral visibility on your network (intranetwork east/west visibility)
The critical factor remains; dissect every technology, solution, and asset before you allow it on your network. Understanding the risks and remember that hardening whenever possible is essential in the war against cyber attack. Most importantly, these measures will help mitigate the risk of attackers using these devices against us.