Getty Images/iStockphoto
Medical Device Security Stymied by Legacy Tech, Flawed Segmentation
Forescout’s Connected Medical Device Security report shows improved awareness around healthcare on network segmentation and legacy devices, but other security challenges remain.
Healthcare delivery organizations are increasingly deploying medical devices, IoT, and other medical platforms to improve connectivity and support patient care. But failed network segmentation, legacy devices, and other network failures continue to heighten risks to the enterprise, according to Forescout.
The majority of US hospitals reported falling victim to a significant security incident in the past two years. Combined with threats designed to prey on COVID-19 fears, cybersecurity risks in healthcare have remained hard to defeat.
This month alone has seen a number of hospital organizations reverting to EHR downtime after falling victim to security incidents and ransomware attacks, while ransomware hacking groups have posted data exfiltrated for more than a dozen providers.
In response, Forescout analyzed data from its Device Cloud, an internal repository that contains data from about 3.3 million devices on hundreds of healthcare networks, combined with a detailed analysis of network traffic from a range of large healthcare delivery organizations, for its 2020 Connected Medical Device Security report.
On average, healthcare delivery organizations have 20,000 devices, including IT, IoMT, OT, and IoT devices.
Comparing research from its 2019 report, Forescout Research Manager Daniel dos Santos explained to HealthITSecurity.com, the goal was to determine what has changed in the past year across healthcare networks.
According to the report, there was a huge push in healthcare to upgrade from platforms for which Microsoft ended support in January 2020, to Windows 10 versions. And the majority of healthcare networks upgraded to Windows 10 in the last year.
Sixty-eight percent of healthcare organizations leverage devices running versions on Windows OS supported for more than a year: nearly a 40 percent increase from 2019 (29 percent). The report also showed a 40 percent decrease in devices operating on unsupported Windows versions, from 71 percent in 2019 to 32 percent this year.
However, Forescout found there was no change in the number of organizations operating with even older platforms like Windows XP – for which Microsoft ended support years ago. The amount remained at 0.4 percent for both the 2019 and 2020 reports.
“It’s a clear indication that the problem of legacy devices is going to continue for some time,” said dos Santos. “The number of legacy devices is what worries us, year after year. It seems like it’s just going to continue, the percentage of those out-of-band, old versions of Windows.”
Network Segmentation Remains Problematic
Segmentation is fundamental for limiting the attack surface in healthcare, achieved by combining several techniques, like VLANs, Access Control Lists, firewalls, and subnets. The cyber community made a massive push for network segmentation in the last year, supported by recent guidelines from NIST.
Forescout found an increase in the number of segmented devices in deployments, which pointed to a push for greater network segmentation across the sector. The number of VLANs also increased across the sector, pointing to an increase in segmentation.
"Medical data exposed online is routinely traded by hackers in underground markets.”
However, a deeper dive into the data revealed the majority of providers continue to struggle to appropriately apply surface view segmentations. There are also a concerning number of organizations that mixed personal and medical devices in healthcare segments.
“There may be segments that mix sensitive and vulnerable devices, which means that a vulnerable device may be used to reach a sensitive one...the mix of different device types can lead to network vulnerabilities,” the report authors wrote.
Concerningly, for every VLAN with at least one healthcare device, 60 percent of healthcare delivery organizations also had non-healthcare devices within the same segment. And 90 percent of VLANs have a mix of healthcare and IT devices, indicating that although VLAN use is increasing across the sector, most organizations still don’t consider a device’s purpose when applying network segmentation.
Another example reviewed by Forescout showed computers and printers are often present in the same VLAN as healthcare equipment, such as patient monitors and X-ray machines.
“Networking devices like serial-toIP converters used to connect serial healthcare devices to computing workstations are also on the same segment as these devices,” the report authors wrote. “It’s important to note that the security status of the general-purpose computing equipment can directly affect the security status of the specialized healthcare devices communicating on the same VLAN.”
“We see instances of personal devices, such as smartphones, smartwatches, tablets and OT devices on the same VLAN as sensitive healthcare equipment,” they added. “These devices might contain vulnerable software or targeted malware which can make other devices on the VLAN susceptible to infection, as well.”
Mobile devices, for example, should be moved to a network specifically meant for personal devices, while a barcode scanner should be move to VLAN dedicated to equipment scheduling or facilities. Then, the segments should be restricted by network access privileges to the medical device segment.
What’s more, the healthcare delivery networks analyzed by Forescout relied on insecure protocols for both medical and non-medical network communications. The report also found examples of sensitive external communication.
Specifically, four out of the five healthcare delivery organizations examined by Forescout were communicating between private and public IP addresses using medical protocol HL7, which uses clear text to exchange medical information, enabling an attacker to easily read and leak sensitive patient information.
Two out of five of the organizations had medical devices communicating over IT protocols with external servers. One medical information system communicated externally over Secure Shell (SSH), while another reached a web server via HTTP and one more downloaded files from an external server using FTP.
“In this last instance, the external server was shown on Shodan with more than 25 vulnerabilities. Attackers would have an easy entry point into the network simply by compromising these external servers to serve malicious files (such as remote access tools),” according to the report.
“We even found that one out of the five HDOs had an application with electronic health records exposed on the public internet,” it continued. “This issue has been previously explored by the security community, and it is well known that medical data exposed online is routinely traded by hackers in underground markets.”
"Not applying patches will always be riskier than applying them."
Vulnerable Device Communication
For dos Santos, the real challenge is the communication between devices within and across segments, leveraging older versions of protocols, applied cryptographic measures, or the use of clear text, on which several medical device platforms rely.
“A proper segment only contains devices that should be talking together, not by physical activity,” dos Santos said. “The report shows relapses in segmentation. All similar devices need the same network segments, broken down by the make of devices and IoT.”
“This is the second major point: there is a push for greater network segmentation, the awareness is good across the industry as a whole,” he added. “But when it comes down to applying it, there’s still several concerning gaps.”
There are several older protocols and signals, which highlight that the medical device and IoT security risks are not just caused by a failure to patch or properly apply segmentation. Namely, the cryptographic protocol TLS, used to secure network communication, is proving problematic for the sector.
Older TLS versions are prone to attacks, where an attacker can downgrade connections to decrypt traffic and then gains access to sensitive information. Forescout found the insecure versions are still in use at all examined healthcare delivery organizations, both externally and internally.
Further, all healthcare delivery organizations were using obsolete versions of other protocols, such as SNMP versions 1 and 2, used to manage and monitor the status of networked devices. Another three out of five HDOs were continuing to use the clear-text, unencrypted Telnet protocol, designed in 1969 and long-ago replaced with SSH.
In fact, Telnet is commonly used by HDO networks today. And most organizations continue to use insecure medical device protocols, such as DICOM, POCT01 and LIS02.
“While supporting critical operations in healthcare delivery organizations, these medical protocols often lack encryption and authentication, or they do not enforce its usage,” the report authors wrote. “The HL7, DICOM and POCT01 standards cite the possibility of encrypting transmitted data in their standardization documents but leave the choice of implementation to individual deployments.”
“This is often due to resource constraints in medical devices or the belief that communications in internal ‘closed’ networks do not need to be protected, which is against the modern security mindset of assuming that breaches are inevitable,” they added.
As a result, researchers determined that none of the analyzed HDOs were encrypting traffic on these protocols, leaving the traffic exposed in clear text.
Medical Device Security Gaps: Easy Targets
Forescout also sought to understand just how simple it would be for an attacker to gain access to a network or to manipulate patient data leveraging the above vulnerabilities without proper segmentation, and the results were concerning.
"The only viable solution is to have an automated network monitoring solution that gathers this data from devices."
Researchers were able to conduct a host of nefarious activities, including passively intercepting test results sent in clear text by operators, by observing network traffic and examining the POCT01 packets, while actively intercepting test results “bringing rogue devices that can serve as fake LIS servers into hospitals.”
“Due to the lack of traffic encryption, these devices can then hijack communications between a POCT device and a legitimate LIS server (e.g., via ARP cache poisoning),” the report authors explained. “Then, attackers can execute a limited set of remote commands via POCT01 that the device supports: e.g., force the device to send all pending test results to the fake LIS server, or update the list of device administrators.”
This a realistic scenario, given the current state of network segmentation in healthcare. Researchers were also able to change test results, disconnect a patient monitor, and even tamper with a patient’s vital readings, among a host of other activities, all through leveraging the common vulnerabilities and failed proper network segmentation.
The Need for Visibility and Proper Segmentation
Dos Santos stressed that it’s imperative healthcare organizations take action to close these gaps, prioritizing visibility onto the network
“To be able to maintain delivery of care through these devices, you need to have visibility and known what is running on devices and to be able to map devices and their communication: it take the normal cyber hygiene rules,” explained dos Santos.
“The way we see it, the only viable solution is to have an automated network monitoring solution that gathers this data from devices,” he added. “But the first thing we have to admit is that it’s a hard problem to segment, just like visibility: segmentation is hard and probably harder than gaining visibility.”
Providers first need a foundation based on visibility that will lend to the segmentation process from both internal and external exposures. Administrators should look at devices and plan to segment each into zones, which is the best approach to start, supported by policies.
Segmentation policies can be driven by the need to classify and control devices by function and vendor, enable remote vendor or business associate report, or even to safeguard the availability and reduce exposure to critical applications.
“Simulating security policy prior to enforcement is crucial – it is one of the only ways to ensure that access to data and applications is appropriately limited without causing downtime, malfunction or other breaking changes, all of which can be disruptive to HDO operations and potentially harm patients or prevent the saving of life itself,” the report authors wrote.
Segmentation is not a one-time project, but rather a dynamic effort that takes into consideration the effect of policies on the network. In terms of priorities, automation can help provide the necessary visibility and response, in terms of patching and segmentation, through a comprehensive workflow.
“There are steps that still require human attention, but much of what comes before in the cyber hygiene part can already be done in a good degree with automation: network traffic, segmentation,” said dos Santos.
Automation can also assist with patch management, as the process is difficult in a critical environment like healthcare. While there are some concerns about safety when it comes to patching, dos Santos stressed that when it comes to medical devices, those patches are verified to ensure patient safety is maintained.
“But not applying patches will always be riskier than applying them,” he said.
For now, healthcare is continuing to improve. But dos Santos said that as the pandemic continues and hackers increasingly improve the sophistication of their attack methods, providers must begin to take the necessary steps to harden their defenses.