With the number of assets connected to clinical networks climbing upwards of 25,000 or more per organization, digital attack surfaces across the healthcare industry are expanding exponentially. Security leaders are therefore tasked with balancing the rewards of enhanced patient care, real-time access to diagnostic data across the entire digital health platform, and other benefits, against the risk of attackers targeting and exploiting known vulnerabilities in the software and firmware of medical devices.
Commodity vulnerabilities and misconfigurations in connected devices can allow profit-motivated attackers access to clinical networks, leaving health delivery organizations (HDOs) prone to the same types of ransomware attacks, data theft, and malware as other more traditional corporate networks.
However, the consequences for HDOs can be much more dire than a locked down Windows machine or an unstable website. Physicians that are locked out of patient data systems or connected remote patient monitoring systems that are offline because of a cyberattack can negatively impact patient care and cause catastrophic outcomes.
Healthcare, like many other industries deemed to be part of our critical infrastructure, does not tolerate downtime nor can it withstand cyberattacks that delay or negatively impact the integrity of critical patient services. Vulnerability management should therefore be elevated as a top priority for CISOs and other leaders, who must make risk-based determinations as to which systems are to be prioritized in an incident along with how to adequately regression test and safely apply patches to affected systems, and how to treat legacy systems that may no longer be supported.
In that light, we’d like to share four top considerations that a security decision maker must take into account when assessing known vulnerabilities and patches in order to minimize operational disruption, lessen negative impacts to patient care, and the short- and long-term factors that go into deciding what gets patched and when.
An asset inventory of your environment is basic but absolutely essential. In order to understand and prioritize vulnerability management activities while maintaining clinical interoperability, you must know what devices are connected to the clinical network and which are internet-facing. This is probably the most important and likely one of the most overlooked considerations as HDOs move forward with vulnerability management programs and develop patch and change management processes. Without an accurate inventory that includes attributes such as operating system and software version, it's almost impossible to make proper risk-based decisions.
Vulnerabilities can be identified by scanners which can be active or passive. Active scanning is network-based or agent-based and may be authenticated. Authenticated scans use a pre-defined user account and password (credentials) to access and retrieve detailed information from the systems registry. This method is more comprehensive than an unauthenticated scan, and informs vulnerability management teams to make better risk-based decisions. Authenticated scans may or may not be possible on medical devices because many of them were never intended to be actively interrogated or scanned. Therefore, it’s important to also have passive scanning technology in these environments. Passive scanning detects vulnerabilities through network traffic packet inspection.The level of vulnerability identification and whether they are confirmed or are a potential threat is dependent on the type of scan. Vulnerability identification is a requirement if there is going to be a risk-based prioritization for vulnerability management and remediation.
Medical devices are purpose-built to perform various functions specific to patient care. Understanding the consequences of failure to the patient is crucial when assessing vulnerabilities. There are no other industries I’m aware of where you have to ask the question; “If this device is compromised will someone die?” If the answer is “Yes,” it is imperative to put this device at the top of vulnerability remediation when there is a known actively exploitable vulnerability present on these devices. It is also important to note that patching of medical devices is not advised while actively in-use delivering patient care. Careful planning and collaboration are required for patching medical devices during device downtime periods in order to avoid disruption of care or adverse results to a patients’ safety.
Not all vulnerabilities are actively targeted or even exploitable; this can often be a determining factor as to whether a system is first in line for remediation. Taking advantage of threat intelligence available through various repositories is important. Threat intelligence is data that is collected, processed and analyzed to determine threat actors’ targets, attack methods, motives and behaviors. Threat intelligence data can be obtained through open source, commercial offerings, and Information Sharing and Analysis Centers (ISACs). This intelligence provides insight to which vulnerabilities have known exploits and whether they are being actively targeted. Leveraging industry specific intelligence sources such as the Health-ISAC in healthcare and correlating this data to an accurate asset inventory can assist in prioritizing which vulnerabilities are addressed through mitigation or remediation.
Connecting medical devices to clinical networks can bring tremendous benefits that improve patient care. Physicians can use patient monitoring systems and even in-home or wearable technology to get real-time data on key health indicators. Knowing a patient’s status in real-time can shave precious time off diagnostic decisions and treatment. It can also save money by eliminating needless appointments and pinpointing treatment in an expedited fashion.
Security leaders must also realize that connected medical devices are also at risk to attacks that have plagued IT systems for decades, with much higher consequences for the healthcare industry. A properly tuned vulnerability management strategy starts with these aforementioned considerations that bring much-needed visibility and information that allows security leaders to make more informed decisions to prioritize patching and remediation efforts, while reducing downtime and maintaining high standards of patient care.
Skip Sorrels is Director of Cybersecurity for Ascension, one of the nation’s largest healthcare information technology services organizations.