How Medical Device Vendors Hold Healthcare Security for RansomNovember 19 2019
Four-hundred-ninety-one ransomware attacks slammed US healthcare organizations in the first three quarters of 2019 alone, according a recent report by Emsisoft. Cyberattacks on healthcare are reportedly already 60% higher than 2018 figures. The US Food and Drug Adminstration FDA just issued warnings about an urgent remote code execution vulnerability affecting millions more medical devices than initially thought.
And yet IT security teams at hospitals and healthcare centers are hampered in their efforts to defend against these threats, hamstrung, in part, by vendors that fail to take security seriously.
Thomas August, CISO at John Muir Health, a healthcare system compromising two acute care hospitals, a behavioral health center, and community health practices throughout the east San Francisco Bay area, has seen his peers wrestle with ransomware attacks. He has his own ideas on why organizations in his industry are such popular targets.
August points out that the devices on his networks are split between traditional IT systems in the billing and records functions, and advanced Internet of Things (IoT) devices in the healthcare delivery areas. Many of those IoT devices are built on software and operating systems that are archaic and unpatched (think Windows 95).
And then the news gets bad.
Many of the medical devices attached to the hospital network are managed, under contract, by the vendor.
“In the case of medical devices specifically, the vendors have historically not done a very good job of owning their end of the bargain,” August says. “They don’t allow health systems to patch. They don’t allow health systems to put anti-malware on them. They don’t allow health systems to change admin credentials. There’s a lot of things they don’t allow the health systems to do, and if we try to do it it breaks the warranty.”
So these are the types of choices August is faced with: leave a radiology scanner open to vulnerabilities or protect a radiology scanner with antivirus knowing that if the AV causes the scanner to malfunction, the device manufacturer will refuse to cover any repairs and the hospital will likely need to replace that million-dollar radiology scanner. The usual security monitoring tools that work for other systems, like SIEMs, also won’t work for these embedded systems.
As he talks about the impact of the situation, August doesn’t mince words. “In a lot of regards, the systems that we have are subject to the vendors really owning their responsibility here, and there’s nothing we can do about it,” he says. “It’s very, very, frustrating.”
But frustration doesn’t equate to inaction for August and other healthcare CISOs.
“For the most part, we segment them off and just keep them in their own private Idaho because there’s very little else we can do,” August says. “If I can’t keep certain devices from accessing the Internet by putting filters up, I can segment them in such a way that they have no way to get to the Internet, period.”
When faced with a variety of different devices with varying levels of built-in security capabilities and update status, not to mention management responsibility and ownership, proper segmentation is key to overall network health, August suggests.
But while unpatched IoT devices may be a key source of frustration, the critical sources of and reasons for ransomware infection lie elsewhere.
(continued on next page)
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio