Palo Alto Networks‘ Unit 42 security division said medical equipment is outdated and vulnerable to hacker attacks and health care organizations are displaying poor network security hygiene.

A new report from Unit 42 says 72% of health care networks mix internet of things (IoT) and information technology assets, allowing malware to spread from users’ computers to vulnerable IoT devices on the same network. The report also offers a lot of data on non-medical IoT attacks.

There is a 41% rate of attacks exploiting device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses. And Unit 42 has seen a shift from IoT botnets conducting denial-of-service attacks to more sophisticated attacks targeting patient identities, corporate data, and monetary profit via ransomware.

According to a 2019 Gartner report, 4.8 billion IoT endpoints were expected to be in use at the end of 2019, up 21.5% from 2018. But 40% of health care chief information officers (CIOs) plan to spend new or additional funds on cybersecurity tools in 2020.

For the time being, medical devices are in a critical state and are running outdated operating systems. Due to their long lifecycles, medical IoT devices are among the worst offenders when it comes to running outdated and, in many cases, end-of-life operating systems, Unit 42 said. These devices are neither maintained by IT nor supported by the operating system vendors.

VB TRansform 2020: The AI event for business leaders. San Francisco July 15 - 16

Biomedical engineers who maintain medical devices often lack the training and resources needed to follow IT security best practices for employing password rules, storing passwords securely, and maintaining up-to-date patch levels on devices.

The National Cybersecurity Center of Excellence (NCCoE) completed a medical IoT device security project in 2019 called Securing Picture Archiving and Communication Systems (PACS). NCCoE found that 83% of all medical imaging systems run on end-of-life operating systems with known vulnerabilities and no security updates or patch support. This is a 56% jump from 2018 as a result of Windows 7 reaching its end of life.

Above: Medical devices aren’t secure.

Image Credit: Unit 42

New attacks are exploiting vulnerabilities in the underlying operating system to target medical IoT devices. Imaging systems are particularly susceptible to this kind of attack due to support for their underlying OS expiring well before the devices are retired or decommissioned. The simplest IoT risk remediation practice is network segmentation.

But only 3% of all segmented networks or virtual local area networks (VLANs) in the health care organizations studied contained strictly medical IoT devices, and 25% contain non-medical IoT devices (IP phones, printers, etc.).

Network segmentation alone is not sufficient. For instance, housing mission-critical heart rate monitors in the same network as imaging systems isn’t safe. A device profile-based microsegmentation approach that considers a multitude of factors, including device type, function, mission criticality, and threat level, provides an isolation approach that significantly reduces the potential impact of cross-infection.

Zingbox, Palo Alto Networks’ IoT security offshoot, alerted one of the hospitals to Conficker traffic detected in its network. The offending device was a mammography machine. In the days following, Zingbox identified another mammography machine, a DICOM (Digital Imaging and Communications in Medicine) viewer, a digital radiology system, and other infected devices exhibiting Conficker behavior.

The hospital staff responded by turning these devices off when they were not in use. To verify the infection, the staff took one of the mammography machines and the DICOM viewer offline to reimage them. Within hours of the devices coming back online, Conficker infected them again.

Further investigation revealed that while reimaging the devices had removed the malware, the approved images were outdated: They did not include the latest security patches, leaving the devices vulnerable to Conficker. Given the peer-to-peer spread of Conficker on a network, it was only a matter of time before another infected device passed the virus back along.

The hospital then took all infected devices offline, reimaged them, installed the latest security patches, and brought the devices back online one by one, closely monitoring anomalous behaviors. Over the span of a week, the devices were reintroduced to the network and showed no further signs of Conficker infection.

This is a typical example of the challenges many organizations face today. They are hampered by a lack of real-time visibility into IoT device behavior and the cybersecurity expertise to quickly respond to threats, contain the spread of infection, and eradicate the underlying cause. In some organizations, the critical nature of devices makes troubleshooting, shutdown, and reimaging impossible or extremely difficult to do without disrupting business operations.