By Tom Stanford, CEO, Nuvolo
Major innovations and advancements in the medical technology sector have led to an increasing use and reliance on connected medical devices – equipment connected to the internet and larger networks. But, as the healthcare sector continues to undergo this digital transformation and adoption of these connected devices, new vulnerabilities begin to surface for bad actors to exploit. This is an undeniable reality for the industry, as cyberattacks on healthcare organizations (HCO) continue to spike exponentially – in fact, there was a 55% increase in cybersecurity attacks on healthcare providers in the US alone last year.
As the healthcare sector advances along this path of digital transformation, so do these types of attacks, which are becoming increasingly sophisticated. Yet, many organizations lack the understanding of how vulnerable they are and what steps to take to mitigate and remediate these occurrences.
We can look to the WannaCry ransomware attack from a few years ago as an example.This worldwide cyberattack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The attack hit more than 300,000 machines in 150 countries, targeting Windows operating systems and succeeding where those operating systems lacked security updates. According to data from Kaspersky Lab, 98% of computers were affected, creating major concern for hospitals around the world.
Traditionally, the industry considered most medical devices safe from cyberattacks, as they historically were not connected to other devices or networks. With that landscape changing entirely, HCOs must take a new cybersecurity posture and prepare for the exploit of potential vulnerabilities.
While many attackers are only able to exploit IT systems, such as laptops and servers, many cyberattack victims are forced to take other technology offline as a safeguard against potential financial risk to the business, patient safety or device availability. As a result, these attacks can now have serious impact on organizations’ operational technology, or OT – this refers to an organization’s physical, network-connected devices, including medical devices, which monitor or control processes and events outside of IT systems.
While OT security focuses mainly on device resilience, IT is concerned with the integrity of information. This means OT teams and IT teams often have different priorities, which provides opportunities for attackers looking at new entry points into a business.
There’s a pervasive problem in OT security, which is directly related to this gap, in that many machines are running outdated software or lack aftermarket security patches. For example, Microsoft Windows vulnerabilities, such as BlueKeep and DejaBlue, are continuously unearthed in old Windows systems. And, just last year, TrapX Security identified a new malware campaign targeting devices running embedded Windows 7.
The fact that Windows 7 reached end-of-life January 2020, only broadens attack surfaces and gives hackers even greater opportunity to infect them with malware and disrupt operations.
According to the 2020 Global Risk Report by OT security firm CyberX, unsupported and unpatched operating systems—including Windows XP, Windows 2000, and now Windows 7—account for 71% of the networks they examined.
But OT device owners and IT security teams often do not sit at the same table or have the same priorities. OT medical devices are highly regulated by the FDA in the United States and by similar organizations elsewhere, such as the European Medicines Agency (EMA). This often means only authorized clinical engineering personnel can maintain an OT device.
Sometimes healthcare technology management (HTM) or IT teams get misinformed, and they implement an OT device discovery and monitoring tool and call it a day. While these tools do an excellent job identifying and assessing OT device security vulnerabilities, this approach skip a more important step: an orchestrated, automated remediation.
In addition, IT may insist that existing IT security tools will do the job just fine. The problem is that these tools provide no context to affected devices. Thus, when an IP and MAC address is under attack, and the IT teams are scratching their heads trying to figure out who to call, corrective action can take way too long.
Unfortunately, many HCOs don’t fully understand their level of threat exposure when it comes to OT. And, without context, contained in a single, centralized inventory of all their devices, equipment, and facilities, it complicates organizations’ ability to make basic decisions during and after a cyber-attack—like determining if a security event was targeting a specific device.
That’s why having visibility into your equipment and devices is crucial. While visibility itself won’t fully protect you, it can provide actionable data to help you make decisions that keep critical OT systems online. Additionally, IT and OT teams don’t always communicate with each other on a day-to-day basis, which is a crucial step in recognizing vulnerabilities and addressing or remediating threats. So, it’s equally crucial to implement and integrate automated solutions and tools to detect issues and enable cross-departmental communication.
To address OT security challenges, HCOs need to expand capabilities and focus on the following:
- Device tracking and data: When a piece of equipment or device is purchased and acquired, the device and field technicians must be able to input the device details into the inventory when they work in-person or remotely on the device. This device inventory acts as the single source of truth that gets an update when routine maintenance takes place, where personnel will enrich the device data with any new information.
- Full security systems integration: There also needs to be integration with a security monitoring system, so that when an OT security event or vulnerability is identified, security, IT, and equipment support teams all operate with the same data and visibility. And beyond monitoring, there must also be a security orchestration, automation, and response system of action so all teams work together to enable rapid remediation of security events. Ideally, when a security event takes place, the security team should be able see the full context of the device—including the device owner and the appropriate remediation process. Then a work order can be dispatched to the device engineer or manufacturer’s or service provider’s field technicians. The work order should be trackable so that security, IT, and the device engineers are kept aware of the remediation status.
As medical devices and operational technology continue to evolve, so do external threats to HCOs, and so must the technology designed to protect organizations and patients. To do this, it’s critical for HCOs and other organizations to understand these risks and invest in both the IT and OT security systems that ensure the safety and security of their facilities and medical devices.
About Tom Stanford
Tom Stanford is the Founder & CEO of Nuvolo Technologies and has more than twenty-five years of experience in building new technology ventures. Tom is responsible for overall leadership and management of the organization. His new venture development activities include SaaS, enterprise software and professional services. Tom holds a graduate and undergraduate degree from Northeastern University. Visit at: www.nuvolo.com