threat report medical devices -...
TRANSCRIPT
Detailed analysis of connected medical devices across 50 hospitals in 2017
THREAT REPORT Medical Devices
THREAT REPORT
2
Introduction 3
About This Report 3
Device Deployments 4Most Common Connected Medical Devices 4
Device Applications and Communications 5Device Type with the Most Network Applications 5
Use of Micro-Segmentation 6Medical VLANs per Site 6Device Types in VLANs with Medical Devices 7
Security Issues 8Types of Device Security Issues 8
Security Issues by Device Type 9Device with the Most Security Issues 9
Conclusions and Recommendations 11
In this Threat Report
3
IntroductionHealthcare organizations are undergoing multiple transformations, from the increasing connectivity of medical devices to the
convergence of Information Technology (IT) and Operational Technology (OT). These transformations are drastically changing the way
organizations conduct their day-to-day operations. Cyber threats targeting healthcare organizations are also undergoing their own
transformations. While the theft of Personal Health Information (PHI) is widely accepted as the most common threat, more and more
attacks are aiming to disrupt an organization’s ability to provide care. In many cases, such disruption can be more financially damaging
than the actual theft of PHI.
Today, organizations find themselves at a severe disadvantage when trying to cope with this changing and evolving landscape. Many lack
real-time insights into their deployment of medical devices, and industry reports based on thorough analysis and concrete data samples
have not been made available. The same challenge applies to cyber threats. The inability to leverage IT-focused security solutions to
secure connected medical devices leaves few options to the care providers. There are no industry reports that offer guidance or insight on
how to combat cyber threats for connected medical devices.
After conducting a thorough study of numerous real-world connected medical device deployments, Zingbox uncovered insights into
the types of connected medical devices deployed, their unique behaviors, and associated security issues. The report also sheds light on
medical device environments, including network topology and segmentation, and identifies the most common security issues plaguing
connected medical devices, with suggested remedies for each.
All information, while accurate, has been anonymized to protect the privacy of participating healthcare organizations.
About This ReportThe information in this report has been derived from the analysis of connected medical device deployment at 50 hospitals and clinics in
the U.S. throughout 2017. The information was gathered via Zingbox IoT Guardian at each of the 50 locations, and is based on analysis of all
relevant network traffic. The study encompasses tens of thousands of connected medical devices.
The detection of each device type, network characteristics and topology, and other analysis performed in this study were conducted via
artificial intelligence (AI) and deep machine learning architected in the Zingbox IoT Guardian solution. Due to its out-of-band design, no
medical devices were altered in any way. No agents, clients, or other software were installed on any devices. The network traffic to and
from devices also remained unaltered. Also, no gateways or other inline devices were installed.
THREAT REPORT
4
Device DeploymentsThe first hurdle organizations face when
formulating a management and
security plan for connected medical
devices is the lack of accurate insight
into the assets that should be managed
or protected. Trying to overcome this
hurdle by relying on assumptions or
outdated data is often the primary
reason for the ineffectiveness of an
organization’s strategy.
It’s important to note that the
identification of a device’s IP address,
or even its underlying operating
system (OS), will have limited value for
connected medical devices. Knowing
the type of device — such as whether
it is an infusion pump or an imaging
system — offers much more relevant
insight for organizations.
MOST COMMON CONNECTED MEDICAL DEVICES
As illustrated in the graph above, close to half (46%) of all connected medical devices included in this study are infusion pumps. Based
on the sheer number of devices, infusion pumps represent the largest attack surface for cyber threats. The industry practice of device
segmentation, if not configured correctly, can have a disastrous effect on such large numbers of devices. Lack of segmentation can have
an unfortunate side effect of accelerating attacks and infections should a single device in the network be compromised.
The second most common medical devices included in this study are imaging systems. It is important to note that the category of imaging
systems not only includes X-ray, ultrasound, and magnetic resonance imaging (MRI) machines, but also image viewers, digital imaging and
communications (DICOM) workstations, and picture archiving and communications (PACS) servers. Many of these devices are based on
Windows OS and include apps such as web browsers, making them vulnerable to threats exploiting OS and application vulnerabilities.
CONNECTED MEDICAL DEVICES DEPLOYED
5
Device Applications and CommunicationsModern connected medical devices communicate with a wide range of servers and devices. The communications are used for a variety of
purposes, ranging from routine device management to transmissions of sensitive patient data. By analyzing a device’s network behavior
and configurations, the number and type of network applications are identified.
The number of network applications is an indication of how likely the device will be infected by other devices, as well as how likely it will
infect other devices, should it be compromised. Essentially, the number of network applications is a reflection of how “chatty” a device is.
DEVICE TYPE WITH THE MOST NETWORK APPLICATIONS
As illustrated in the graph at right, imaging
systems have the largest number of network
applications of all connected medical devices
included in this study, with an average of seven
network applications per device. The graph
also provides insight into the nature of the
applications. Of the seven network applications
typically found in imaging systems, an average
of three applications are used for
communications with devices outside the
organization. The majority of other devices
include applications that predominantly
communicate with other devices and servers
within the organization’s network.
External applications can pose a significant risk
to the organization. They can be used by malware or other attackers to breach the network. The inherent design of these applications
also limits the ability of firewalls or other inline devices to disable external communications without fully understanding its implications.
Analysis of perimeter security configurations, in conjunction with the requirements of the connected medical devices, should be
conducted on a regular basis and as new devices are put into service.
AVERAGE NUMBER OF APPLICATIONS PER DEVICE
THREAT REPORT
6
Use of Micro-SegmentationMicro-segmentation is considered a sound practice of limiting lateral infection or movement and, at the same time, enabling efficient
device management. By placing devices in Virtual LANs (VLANs), organizations can isolate like devices from other device types as well
as easily identify and locate devices in the network. A well-defined VLAN can also simplify the process of bringing new devices online.
The benefit of micro-segmentation can only be realized, however, if organizations follow a sound practice of implementing and
maintaining VLANs on a regular basis.
MEDICAL VLANS PER SITE
As shown in the graph at right, the majority of hospitals
in Zingbox’s study (88%) have fewer than 20 VLANs
containing medical devices — far too few VLANs to
gain the insights required to successfully implement
a micro-segmentation strategy at practically any sized
healthcare organization. This data illustrates the security
challenge that many healthcare providers face that
was discussed at the beginning of this report: without
insight into the types of devices in their networks, many
organizations cannot gain the necessary visibility into
their deployment of connected medical devices. Without
the appropriate tools, the best strategy available for
providers is to create a collection of IP addresses with no
contextual data to tell them apart.
The graph also accurately depicts the state of current
micro-segmentation strategies as two extreme ends
of the spectrum. Today, organizations are either not
implementing micro-segmentations, as is illustrated by the high percentage of providers with a low number of VLANs on the left side of
the graph, or they have resorted to the other extreme — over-segmenting the network, as is indicated by the gap between providers with
40-50 VLANS and 100+ VLANs. We expect more and more organizations to fill the void between these extremes as they implement tools
and processes to gain additional visibility into device context and use these insights for onboarding new devices.
USE OF MICRO-SEGMENTATION
7
The number of VLANs with medical devices provides a quantitative analysis of micro-segmentation. A successful micro-segmentation
strategy, however, must also include regular analysis of devices in the medical VLANs. This ensures that the VLANs are being used
efficiently to house only connected medical devices as they were intended.
DEVICE TYPES IN VLANS WITH MEDICAL DEVICES
As illustrated in the graph at right, medical
devices are not the predominant devices
found in medical VLANs. In fact, this
type makes up less than a quarter (23%)
of all devices. PCs make up the largest
device type in a typical medical VLAN at
43%. Aside from PCs, other non-medical
devices, such as printers, IP phones, and
surveillance cameras, can also be found in
medical VLANs.
This graph unfortunately illustrates
the ineffectiveness of today’s micro-
segmentation strategy. Such a wide
range of devices found in medical VLANs
promotes cross contamination and lateral
movement of infections.
The first course of action that organizations should take is to remove PCs from their medical VLANs, followed by tablets and then other
non-medical IoT devices, such as surveillance cameras and IP phones. The non-medical IoT devices should be moved to other non-medical
VLANs. Of course, in order to implement these changes, organizations must first gain visibility into their VLANs and be able to accurately
identify device types.
DEVICES IN MEDICAL VLANS
THREAT REPORT
8
Security IssuesThe unique characteristics of connected medical devices lead to security issues that differ from traditional IT devices. Because of industry
regulations and the risk that network downtimes pose to care facility operations, providers often cannot install on-device security clients
or updated security patches. This frequently leaves organizations blind to the security issues plaguing their medical devices and severely
limits their effectiveness to respond to threats. The most common course of action is to offline offending devices and attempt to contain
infection to other devices or networks. But enforcing proactive security of connected devices has not been possible in the past due to the
lack of security insight.
TYPES OF DEVICE SECURITY ISSUES
This graph Illustrates the various security issues found on connected medical devices across all types of devices included in Zingbox’s
study. Most notably, user practice issues make up 41% of all security issues. These include rogue applications and browser usage, including
risky Internet site visits. This large percentage is a reflection of a failure in network restriction and policy enforcement. Context-aware policy
enforcement should be put in place to restrict
downloads of rogue applications and limit
URL access to only the sites that are required
for a device’s operation.
Unfortunately, the use of outdated operating
systems and software (OS/SW) — which
comprises 33% of security issues and includes
running legacy OS, obsolete applications,
and unpatched firmware — is frequently
the norm wherever connected medical
devices are utilized. Despite the limited
options available to improve device security,
organizations can perform several measures.
Based on these findings, organizations
should apply tighter device policies enforcing
trusted behaviors. Applying a targeted micro-
segmentation strategy to devices particularly
vulnerable to outdated OS/SW can be an
effective security approach.
TYPES OF SECURITY ISSUES
9
Security Issues by Device TypeMany connected medical devices exhibit similar characteristics, which uniquely set them apart from traditional IT devices. However, each
medical device has unique characteristics of its own that influence its security posture. Hence, no two security strategies will be the same.
An organization’s connected medical device security strategy will be highly dependent on its device deployment topology.
To compare device deployment and device security issues, the deployment graph on page 4 of this report has been expanded to include
the breakdown of security issues specific to each device type.
DEVICE TYPE WITH THE MOST SECURITY ISSUES
As illustrated in the graph at right, imaging
systems have the most security issues. They
account for 51% of all security issues across tens
of thousands of devices included in this study.
Several characteristics of imaging systems
contribute to theirs being the most risky device
type in an organization’s inventory. Imaging
systems are often designed on commercial-
off-the-shelf (COTS) OS, are expected to have a
long lifespan (15-20 years), are very expensive to
replace, and often outlive the service agreement
from vendors as well as the COTS provider. The
distributed nature of imaging systems — which
consist of interconnected devices, servers,
and various nodes — also contributes to many
security issues. As noted earlier, imaging systems
also house the highest number of network
applications per device (see page 5).
DEVICE DEPLOYMENT AND SECURITY ISSUES BY DEVICE TYPE
THREAT REPORT
10
Further analysis of security issues reveals the most
common issues found for each device type.
Imaging systems exhibit all major categories
of security issues, with user practice issues the
most common at 28%.
While many device types suffer from outdated
OS or software, patient monitors experience
these issues 23% of the time, with their heavy
dependence on Windows OS.
With insights into primary security issues for
each device type, many recommendations
discussed in this report, from effective micro-
segmentation to improved contextual policy
enforcement, can be applied to improve overall
device security.
COMMON SECURITY ISSUES BY DEVICE TYPE
11
Conclusions and RecommendationsThe cyber threat landscape for the healthcare industry is undergoing a transformation. While stealthy theft of PHI remains a common
tactic, many hackers are changing their aims to target disruption of services. Despite efforts from regulatory bodies and organizations
to improve security solutions — such as the Food and Drug Administration (FDA)’s strategy to streamline processes and device
manufacturers’ focus on improving device updates — healthcare providers find themselves at a severe disadvantage. Most connected
medical devices cannot be protected via traditional IT means, and actionable steps based on accurate data remain elusive.
With advancements in AI and a focus on specific security solutions for Internet of Things (IoT) devices, healthcare providers can now gain
the visibility necessary to better protect and manage their devices and networks. They have real-time insights into the medical devices
deployed, network configuration and topology, and each devices’ unique security risks and operational efficiency.
Below are some recommendations that healthcare organizations should consider as they formulate strategies to protect and efficiently
manage their connected medical devices:
Real-Time Visibility into Device Deployment and Inventory – Most healthcare providers lack the visibility into the devices deployed
in their networks and the network topologies themselves. The first step to formulating an effective strategy is to base it on an accurate
inventory of devices and network configurations.
Control Rogue Applications and Communications – Inappropriate or unauthorized use of applications account for a large portion of
security issues identified across connected medical devices. Applying contextual enforcement policies based on individual device types
can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.
Develop Strategies for Top Vulnerabilities and Risks – No two healthcare organizations are alike. Hence, every organization should assess
their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans, beginning with their
largest area of exposure.
THREAT REPORT
12
About ZingboxEnabling the Internet of Trusted Things, Zingbox is the industry’s first and only IoT security solution provider to leverage the individual
personalities of IoT devices to provide accurate visibility and protection of an organization’s IoT assets. Zingbox IoT Guardian, a SaaS-based
security solution, leverages machine learning to discover IoT devices, assess risk, baseline normal behavior, detect anomalous activities, and
provide real-time remediation across an organization’s entire IoT footprint.