THREAT REPORT Medical Devices

Transcription

1 THREAT REPORT Medical Devices Detailed analysis of connected medical devices across 50 hospitals in 2017

2

3 THREAT REPORT In this Threat Report Introduction 3 About This Report 3 Device Deployments 4 Most Common Connected Medical Devices 4 Device Applications and Communications 5 Device Type with the Most Network Applications 5 Use of Micro-Segmentation 6 Medical VLANs per Site 6 Device Types in VLANs with Medical Devices 7 Security Issues 8 Types of Device Security Issues 8 Security Issues by Device Type 9 Device with the Most Security Issues 9 Conclusions and Recommendations 11 2

4 Introduction Healthcare organizations are undergoing multiple transformations, from the increasing connectivity of medical devices to the convergence of Information Technology (IT) and Operational Technology (OT). These transformations are drastically changing the way organizations conduct their day-to-day operations. Cyber threats targeting healthcare organizations are also undergoing their own transformations. While the theft of Personal Health Information (PHI) is widely accepted as the most common threat, more and more attacks are aiming to disrupt an organization s ability to provide care. In many cases, such disruption can be more financially damaging than the actual theft of PHI. Today, organizations find themselves at a severe disadvantage when trying to cope with this changing and evolving landscape. Many lack real-time insights into their deployment of medical devices, and industry reports based on thorough analysis and concrete data samples have not been made available. The same challenge applies to cyber threats. The inability to leverage IT-focused security solutions to secure connected medical devices leaves few options to the care providers. There are no industry reports that offer guidance or insight on how to combat cyber threats for connected medical devices. After conducting a thorough study of numerous real-world connected medical device deployments, Zingbox uncovered insights into the types of connected medical devices deployed, their unique behaviors, and associated security issues. The report also sheds light on medical device environments, including network topology and segmentation, and identifies the most common security issues plaguing connected medical devices, with suggested remedies for each. All information, while accurate, has been anonymized to protect the privacy of participating healthcare organizations. About This Report The information in this report has been derived from the analysis of connected medical device deployment at 50 hospitals and clinics in the U.S. throughout The information was gathered via Zingbox IoT Guardian at each of the 50 locations, and is based on analysis of all relevant network traffic. The study encompasses tens of thousands of connected medical devices. The detection of each device type, network characteristics and topology, and other analysis performed in this study were conducted via artificial intelligence (AI) and deep machine learning architected in the Zingbox IoT Guardian solution. Due to its out-of-band design, no medical devices were altered in any way. No agents, clients, or other software were installed on any devices. The network traffic to and from devices also remained unaltered. Also, no gateways or other inline devices were installed. 3

5 THREAT REPORT Device Deployments The first hurdle organizations face when formulating a management and security plan for connected medical devices is the lack of accurate insight into the assets that should be managed or protected. Trying to overcome this hurdle by relying on assumptions or outdated data is often the primary reason for the ineffectiveness of an organization s strategy. CONNECTED MEDICAL DEVICES DEPLOYED It s important to note that the identification of a device s IP address, or even its underlying operating system (OS), will have limited value for connected medical devices. Knowing the type of device such as whether it is an infusion pump or an imaging system offers much more relevant insight for organizations. MOST COMMON CONNECTED MEDICAL DEVICES As illustrated in the graph above, close to half (46%) of all connected medical devices included in this study are infusion pumps. Based on the sheer number of devices, infusion pumps represent the largest attack surface for cyber threats. The industry practice of device segmentation, if not configured correctly, can have a disastrous effect on such large numbers of devices. Lack of segmentation can have an unfortunate side effect of accelerating attacks and infections should a single device in the network be compromised. The second most common medical devices included in this study are imaging systems. It is important to note that the category of imaging systems not only includes X-ray, ultrasound, and magnetic resonance imaging (MRI) machines, but also image viewers, digital imaging and communications (DICOM) workstations, and picture archiving and communications (PACS) servers. Many of these devices are based on Windows OS and include apps such as web browsers, making them vulnerable to threats exploiting OS and application vulnerabilities. 4

6 Device Applications and Communications Modern connected medical devices communicate with a wide range of servers and devices. The communications are used for a variety of purposes, ranging from routine device management to transmissions of sensitive patient data. By analyzing a device s network behavior and configurations, the number and type of network applications are identified. The number of network applications is an indication of how likely the device will be infected by other devices, as well as how likely it will infect other devices, should it be compromised. Essentially, the number of network applications is a reflection of how chatty a device is. DEVICE TYPE WITH THE MOST NETWORK APPLICATIONS As illustrated in the graph at right, imaging systems have the largest number of network applications of all connected medical devices included in this study, with an average of seven network applications per device. The graph also provides insight into the nature of the applications. Of the seven network applications typically found in imaging systems, an average of three applications are used for communications with devices outside the organization. The majority of other devices include applications that predominantly communicate with other devices and servers within the organization s network. AVERAGE NUMBER OF APPLICATIONS PER DEVICE External applications can pose a significant risk to the organization. They can be used by malware or other attackers to breach the network. The inherent design of these applications also limits the ability of firewalls or other inline devices to disable external communications without fully understanding its implications. Analysis of perimeter security configurations, in conjunction with the requirements of the connected medical devices, should be conducted on a regular basis and as new devices are put into service. 5

7 THREAT REPORT Use of Micro-Segmentation Micro-segmentation is considered a sound practice of limiting lateral infection or movement and, at the same time, enabling efficient device management. By placing devices in Virtual LANs (VLANs), organizations can isolate like devices from other device types as well as easily identify and locate devices in the network. A well-defined VLAN can also simplify the process of bringing new devices online. The benefit of micro-segmentation can only be realized, however, if organizations follow a sound practice of implementing and maintaining VLANs on a regular basis. MEDICAL VLANS PER SITE As shown in the graph at right, the majority of hospitals in Zingbox s study (88%) have fewer than 20 VLANs containing medical devices far too few VLANs to gain the insights required to successfully implement a micro-segmentation strategy at practically any sized healthcare organization. This data illustrates the security challenge that many healthcare providers face that was discussed at the beginning of this report: without insight into the types of devices in their networks, many organizations cannot gain the necessary visibility into their deployment of connected medical devices. Without the appropriate tools, the best strategy available for providers is to create a collection of IP addresses with no contextual data to tell them apart. USE OF MICRO-SEGMENTATION The graph also accurately depicts the state of current micro-segmentation strategies as two extreme ends of the spectrum. Today, organizations are either not implementing micro-segmentations, as is illustrated by the high percentage of providers with a low number of VLANs on the left side of the graph, or they have resorted to the other extreme over-segmenting the network, as is indicated by the gap between providers with VLANS and 100+ VLANs. We expect more and more organizations to fill the void between these extremes as they implement tools and processes to gain additional visibility into device context and use these insights for onboarding new devices. 6

8 The number of VLANs with medical devices provides a quantitative analysis of micro-segmentation. A successful micro-segmentation strategy, however, must also include regular analysis of devices in the medical VLANs. This ensures that the VLANs are being used efficiently to house only connected medical devices as they were intended. DEVICE TYPES IN VLANS WITH MEDICAL DEVICES As illustrated in the graph at right, medical devices are not the predominant devices found in medical VLANs. In fact, this type makes up less than a quarter (23%) of all devices. PCs make up the largest device type in a typical medical VLAN at 43%. Aside from PCs, other non-medical devices, such as printers, IP phones, and surveillance cameras, can also be found in medical VLANs. DEVICES IN MEDICAL VLANS This graph unfortunately illustrates the ineffectiveness of today s microsegmentation strategy. Such a wide range of devices found in medical VLANs promotes cross contamination and lateral movement of infections. The first course of action that organizations should take is to remove PCs from their medical VLANs, followed by tablets and then other non-medical IoT devices, such as surveillance cameras and IP phones. The non-medical IoT devices should be moved to other non-medical VLANs. Of course, in order to implement these changes, organizations must first gain visibility into their VLANs and be able to accurately identify device types. 7

9 THREAT REPORT Security Issues The unique characteristics of connected medical devices lead to security issues that differ from traditional IT devices. Because of industry regulations and the risk that network downtimes pose to care facility operations, providers often cannot install on-device security clients or updated security patches. This frequently leaves organizations blind to the security issues plaguing their medical devices and severely limits their effectiveness to respond to threats. The most common course of action is to offline offending devices and attempt to contain infection to other devices or networks. But enforcing proactive security of connected devices has not been possible in the past due to the lack of security insight. TYPES OF DEVICE SECURITY ISSUES This graph Illustrates the various security issues found on connected medical devices across all types of devices included in Zingbox s study. Most notably, user practice issues make up 41% of all security issues. These include rogue applications and browser usage, including risky Internet site visits. This large percentage is a reflection of a failure in network restriction and policy enforcement. Context-aware policy enforcement should be put in place to restrict TYPES OF SECURITY ISSUES downloads of rogue applications and limit URL access to only the sites that are required for a device s operation. Unfortunately, the use of outdated operating systems and software (OS/SW) which comprises 33% of security issues and includes running legacy OS, obsolete applications, and unpatched firmware is frequently the norm wherever connected medical devices are utilized. Despite the limited options available to improve device security, organizations can perform several measures. Based on these findings, organizations should apply tighter device policies enforcing trusted behaviors. Applying a targeted microsegmentation strategy to devices particularly vulnerable to outdated OS/SW can be an effective security approach. 8

10 Security Issues by Device Type Many connected medical devices exhibit similar characteristics, which uniquely set them apart from traditional IT devices. However, each medical device has unique characteristics of its own that influence its security posture. Hence, no two security strategies will be the same. An organization s connected medical device security strategy will be highly dependent on its device deployment topology. To compare device deployment and device security issues, the deployment graph on page 4 of this report has been expanded to include the breakdown of security issues specific to each device type. DEVICE TYPE WITH THE MOST SECURITY ISSUES As illustrated in the graph at right, imaging systems have the most security issues. They account for 51% of all security issues across tens of thousands of devices included in this study. Several characteristics of imaging systems contribute to theirs being the most risky device type in an organization s inventory. Imaging systems are often designed on commercialoff-the-shelf (COTS) OS, are expected to have a long lifespan (15-20 years), are very expensive to replace, and often outlive the service agreement from vendors as well as the COTS provider. The distributed nature of imaging systems which consist of interconnected devices, servers, and various nodes also contributes to many security issues. As noted earlier, imaging systems also house the highest number of network applications per device (see page 5). DEVICE DEPLOYMENT AND SECURITY ISSUES BY DEVICE TYPE 9

11 THREAT REPORT Further analysis of security issues reveals the most common issues found for each device type. Imaging systems exhibit all major categories of security issues, with user practice issues the most common at 28%. COMMON SECURITY ISSUES BY DEVICE TYPE While many device types suffer from outdated OS or software, patient monitors experience these issues 23% of the time, with their heavy dependence on Windows OS. With insights into primary security issues for each device type, many recommendations discussed in this report, from effective microsegmentation to improved contextual policy enforcement, can be applied to improve overall device security. 10

12 Conclusions and Recommendations The cyber threat landscape for the healthcare industry is undergoing a transformation. While stealthy theft of PHI remains a common tactic, many hackers are changing their aims to target disruption of services. Despite efforts from regulatory bodies and organizations to improve security solutions such as the Food and Drug Administration (FDA) s strategy to streamline processes and device manufacturers focus on improving device updates healthcare providers find themselves at a severe disadvantage. Most connected medical devices cannot be protected via traditional IT means, and actionable steps based on accurate data remain elusive. With advancements in AI and a focus on specific security solutions for Internet of Things (IoT) devices, healthcare providers can now gain the visibility necessary to better protect and manage their devices and networks. They have real-time insights into the medical devices deployed, network configuration and topology, and each devices unique security risks and operational efficiency. Below are some recommendations that healthcare organizations should consider as they formulate strategies to protect and efficiently manage their connected medical devices: Real-Time Visibility into Device Deployment and Inventory Most healthcare providers lack the visibility into the devices deployed in their networks and the network topologies themselves. The first step to formulating an effective strategy is to base it on an accurate inventory of devices and network configurations. Control Rogue Applications and Communications Inappropriate or unauthorized use of applications account for a large portion of security issues identified across connected medical devices. Applying contextual enforcement policies based on individual device types can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use. Develop Strategies for Top Vulnerabilities and Risks No two healthcare organizations are alike. Hence, every organization should assess their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans, beginning with their largest area of exposure. 11

13 THREAT REPORT About Zingbox Enabling the Internet of Trusted Things, Zingbox is the industry s first and only IoT security solution provider to leverage the individual personalities of IoT devices to provide accurate visibility and protection of an organization s IoT assets. Zingbox IoT Guardian, a SaaS-based security solution, leverages machine learning to discover IoT devices, assess risk, baseline normal behavior, detect anomalous activities, and provide real-time remediation across an organization s entire IoT footprint. 12

14

15

16 465 Fairchild Drive Suite 207 Mountain View CA Zingbox.com