Data Breaches - Can We Outsmart The Attackers?

By Leon Lerman, Cynerio

The demand for connected devices has increased rapidly in recent years, and medical devices have not been immune from the technological revolution. Today, medical devices are able to communicate across private networks, internet, and point to point connections, allowing for an efficient service which could inevitably save lives. Currently estimated to be approximately 10 billion, the number of connected medical devices is expected to increase to 50 billion over the next 10 years.

With this in mind, securing these devices and the entire hospital ecosystem from potential cybersecurity attacks is critical. Cyberattacks against hospitals are on the rise and, as seen with last year’s WannaCry attack which affected Over 60 hospitals in the UK, can bring patient care to a potentially deadly standstill.

Hospitals are seen as lucrative targets for nefarious actors for a variety of reasons. Most significantly, the data they can get their hands on, if successful, is one of the most valuable assets on the black market- valued at approximately 10 times the value of a standard credit card.

Medical records typically include an individual’s date of birth, full given name, social security number and in some cases, financial information. By stealing this information, hackers can steal the patient’s identity, and create fake IDs to buy medical equipment or drugs that can be resold. As this kind of fraud does not get spotted and stopped as quickly as say, credit card fraud, criminals can continue to exploit this data for years without being caught out.

Also, the data itself is much less protected thus making it easier for cybercriminals to gain access to troves of sensitive, valuable data. When it comes to investment in IT security in hospitals, the budget is significantly less than what is seen in other vertical sectors, such as government or financial services. Because of this, hospitalshave a relaxed security posture, with unsecured connected medical devices being the golden ticket for hackers to the hospital’s data

With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential breaches is great - according to Trend Micro, in the US alone, more than 36,000 healthcare related devices can be found on Shodan, a tracking site for Internet-connected devices. Devices can vary from MRI machines to an insulin pump, the latter of which could result in an attacker administering a fatal dose. The sheer number of devices in a single hospital also means that staff are often unaware of threats, and so breaches can go undetected, essentially allowing attackers free reign to do as they please.

To protect the ecosystem, hospitals must ensure they have full visibility of their networks. This means knowing what is going on, and where, at all times- after all, you cannot protect what you can’t see. By gaining control of all medical devices on the network, hospitals can understand exactly what they do, and who they are talking with at all times. By understanding these processes, devices can then be classified, and the associated risk recognized; subsequently this makes it easier to monitor the devices.

Monitoring the devices with the right medical context allows accurate anomaly detection, in accordance to what it normal, and what is not, within a standard hospital. It is imperative that security takes into account the medial context when protecting hospitals. While generic anomalies can be detected, if the context is not understood, it may be difficult to tell whether a specific behavior is suspicious; for example, if a doctor is accessing numerous images at a work station, this could be completely innocent. However, sequential access to numerous images may be the start of a ransomware attack.

Connected devices have become the weakest link in a hospitals cybersecurity chain. Whilst the lure for cybercriminals has always been there, in the form of valuable data, the way in which they can get it has changed. These connected devices were not built with security in mind, they very often run obsolete operating systems, use unsecure communication protocols and are typically out of scope for traditional IT security solutions, and therefore are difficult to protect. Hospitals must act to secure their ecosystem, and protect the data of their patients — the success of a cyberattack really could be a case of life or death.

For More Information

Cynerio has published an “explainer” including advice for healthcare organizations following another recent ICS-CERT advisory, this one detailing a series of 23 vulnerabilities in popular GE medical devices. In the post, Cynerio offers the following:

What should hospitals do?

• Healthcare facilities’ network administrators should work in coordination with their medical-devices vendors to make sure they have the latest security patches installed.
• Default credentials should be changed to more secure site-credentials while making sure device functionality and interoperability are not hindered.
• Security professionals in healthcare should put in place controls that will enable full visibility of the medical entities on the network, making it possible to understand their behavior and trace and mitigate anomalies and vulnerabilities in real-time, you cannot defend what you cannot see.
• By understanding the actual deployment of medical devices, and devices containing personal patient information, security professionals can apply defense-in-depth principles, leaving medical entities unexposed to the internet — and only allow internet communications to medical devices through secure VPM tunnels and according to necessity.

About The Author

Leon Lerman is co-founder & CEO of Cynerio and brings over a decade of experience in cybersecurity enterprise sales, channel sales, and business development to establish Cynerio as a leading innovator in the healthcare cybersecurity space. Prior to Cynerio, Leon was director of sales at Metapacket, where he led the go to market strategy and execution. Leon also held sales and sales engineering positions at RSA Security, helping the largest enterprises in the region to solve their security problems. Leon served as an expert intelligence officer at 8200 in the IDF.