A recent Forescout study highlighted the poor condition of healthcare cybersecurity. The study showed the over reliance of the healthcare industry on legacy software, the extensive use of vulnerable protocols, and the lack of security of medical devices.
The study analyzed 75 global healthcare deployments and over 1.5 million devices running on 10,000 virtual local area networks (VLANs). Most of the devices utilize legacy systems. Only 1% of devices utilized unsupported operating systems like Windows XP, however, 71% used operating systems that are nearing end-of-life like Windows 2008, Windows 7 and Windows Mobile. The three operating systems mentioned will not be supported by Microsoft starting January 2020.
The analysis showed 85% of Windows devices still use SMB, which has a flaw that allowed the WannaCry ransomware attacks in 2017. 35% of devices still have active Remote Desktop Protocol (RDP). Many also use File Transfer Protocol (FTP).
The use of connected medical devices like infusion pumps, tracking and identification tools, patient monitors and imaging systems has increased, which in turn significantly increased the attack surface. Many of the security risks introduced by those devices have not been successfully mitigated.
The large number of devices and varied operating systems is a major concern for IT security teams. According to the study, 40% of deployments utilized over 20 different operating systems, 41% of VLAN platforms utilized differnet network, mobile and embedded infrastructure, and in 34% of healthcare deployments over 100 vendors connect to their network. A lot of vendors perform the patching of healthcare systems. But healthcare IT teams do not know if the patches were properly applied.
Although it is essential to make sure that all devices are secure, IT teams should first identify all devices connecting to the network. This is a bit difficult because of mergers and acquisitions and many devices are actually being used without the IT department knowing about it.
It’s difficult to manage security because of the complexity of healthcare networks. Patching various devices and updating operating systems is a big and difficult task. Acute care providers could not just take down critical care systems as it could jeopardize patient care. In certain cases, vulnerabilities in medical devices are not patched correctly and legacy apps are not compatible with newer operating systems. Also, vendor approval is necessary before applying patches.
One way to enhance security and minimize the attack surface is networks segmentation. Make sure that vulnerable devices and systems are not connected to the network and aren’t Internet-facing. There must be restrictions to ensure that only authorized people access devices and systems. Nevertheless, this best practice is not quite obvious in the analysis of the study. Just a few VLANs were being employed for medical devices, which implies that network segmentation is not being used by many healthcare organizations.
Forescout researchers do acknowledge the difficulty of using network segmentation best practices throughout the organization. However, it is required to enhance security. Forescount recommends discovering all devices, identifying and auto-classifying devices, and monitoring all devices without agents.
It’s important for healthcare organization security and risk management frontrunners to look into protecting all devices throughout the extended enterprise. A holistic approach to security calls for constant visibility and control the entire connected-device ecosystem.