New Research report “Connected Medical Device Security” shows health networks still exposed to significant risk of attack and disruption

Forescout Research Labs analyzed the security of Healthcare Delivery Organizations in 2020, comparing data from the same review in 2019 and found major issues with legacy systems and insufficient segmentation.  

The growing number and diversity of devices in HDOs has introduced new cybersecurity risks. The ability to compromise devices and networks and the possibility of monetizing patient data have led to an increase in the number and sophistication of cyberattacks targeting HDOs in recent years.  In just the last few weeks, the first death was reported following a ransomware attack on a German hospital and another attack crippled more than 400 hospitals across the United States, Puerto Rico, and United Kingdom.  Many hospitals and other healthcare organizations are rapidly expanding their device footprints to meet the needs of the COVID-19 pandemic. Meanwhile, their critical role in this global crisis also makes them a top target for attackers. The result is a perfect storm that puts the importance of HDO cybersecurity more front and center than ever before.    

With this current threat landscape in mind, Forescout Research Labs undertook a project to analyze the status of healthcare network security.  Partnering with multiple large HDO organisations to collect full network traffic and analyzing over 3 million devices in Forescout’s Device Cloud, we have outlined our findings in a new report: Connected Medical Device Security: A Deep Dive into Healthcare Networks.

Key findings:

1. We saw a reduction in the percentage of devices running Windows unsupported operating systems from 71% in 2019 to 32% in 2020. However, the percentage of devices running fully obsolete Windows versions remained constant at 0.4%. Although that is a small percentage of devices, the data indicates that the legacy problem is expected to continue in the future.
2. This year, we observed that out of all the segments containing at least one healthcare device, 60% have other non-healthcare IoT devices in the same segment. We also observed that 90% of healthcare segments have a mix of healthcare devices and IT devices. These devices might contain vulnerable software or targeted malware which can make other devices on the same segment susceptible to infection as well.
3. We identified healthcare equipment (specifically Patient Monitors and CT Scanners) with default credentials alongside other IT and IoT equipment. In these scenarios, the healthcare devices act as the weak links in the network.
4. In a majority of the participating HDOs, we observed communications between public and private IP addresses using a medical protocol (HL7) to exchange medical information in clear text, which can be easily read and leak sensitive patient information such as names, addresses, family information, allergies and test results.
5. We found multiple instances of insecure protocols in use at each of the HDOs studied. For instance, all used insecure older versions of Transport Layer Security (TLS), as well as other protocols. More worryingly, we found instances of Telnet in over half of the HDOs. The clear-text, unencrypted Telnet protocol was designed in 1969 and has long-since been replaced by SSH. 

These findings reveal that while HDOs have taken some meaningful steps to better secure their connected devices and networks, there are still several cybersecurity gaps and risks that need to be addressed. 

We recommend HDOs prioritize the following best practices to reduce security and operational risk in healthcare networks:

• Legacy devices and operating systems. Accurate identification and classification of medical devices running legacy operating systems is paramount for risk mitigation. Devices that cannot be retired or patched should be segmented appropriately to restrict access to critical information and services only.
• External communications and exposure. Network flow mapping of existing communications is not just a prerequisite for designing effective segmentation zones, it also provides a baseline understanding of external and internet-facing communication paths. This can help identify unintended external communications and prevent medical data from being exposed publicly.
• Insecure and unencrypted protocols. Start with a network flow mapping project to identify protocols in use. Whenever possible, switch to using encrypted versions of protocols and eliminate usage of insecure, clear-text protocols such as Telnet. When this is not possible, use segmentation for zoning and risk mitigation.
• Default, weak or hardcoded passwords. Identify and remediate weak and default passwords. A single weak link on a network segment can compromise the entire segment. If hardcoded passwords cannot be remediated, leverage segmentation for zoning and isolation.
• Effective segmentation. Segmentation can be used as a compensating control and risk mitigation technique for all of the above scenarios. It is also a best practice for compliance ring fencing, limiting lateral movement and reducing the blast radius of attacks. While there is increasing awareness of the benefits of segmentation, examples of over-segmentation, under-segmentation and poorly designed segmentation zones abound. Start by accurately identifying devices you want to segment by business context and understanding existing network flows between device groups. Then design appropriate zones and access policies to gain the positive security outcomes of segmentation.  

To learn more about the security concerns of Healthcare Delivery Organization networks, download the full report – Connected Medical Device Security: A Deep Dive into Healthcare Networks.