Detailed analysis of connected medical devices across 50 hospitals in 2017

THREAT REPORT Medical Devices

THREAT REPORT

2

Introduction 3

About This Report 3

Device Deployments 4Most Common Connected Medical Devices 4

Device Applications and Communications 5Device Type with the Most Network Applications 5

Use of Micro-Segmentation 6Medical VLANs per Site 6Device Types in VLANs with Medical Devices 7

Security Issues 8Types of Device Security Issues 8

Security Issues by Device Type 9Device with the Most Security Issues 9

Conclusions and Recommendations 11

In this Threat Report

3

IntroductionHealthcare organizations are undergoing multiple transformations, from the increasing connectivity of medical devices to the

convergence of Information Technology (IT) and Operational Technology (OT). These transformations are drastically changing the way

organizations conduct their day-to-day operations. Cyber threats targeting healthcare organizations are also undergoing their own

transformations. While the theft of Personal Health Information (PHI) is widely accepted as the most common threat, more and more

attacks are aiming to disrupt an organization’s ability to provide care. In many cases, such disruption can be more financially damaging

than the actual theft of PHI.

Today, organizations find themselves at a severe disadvantage when trying to cope with this changing and evolving landscape. Many lack

real-time insights into their deployment of medical devices, and industry reports based on thorough analysis and concrete data samples

have not been made available. The same challenge applies to cyber threats. The inability to leverage IT-focused security solutions to

secure connected medical devices leaves few options to the care providers. There are no industry reports that offer guidance or insight on

how to combat cyber threats for connected medical devices.

After conducting a thorough study of numerous real-world connected medical device deployments, Zingbox uncovered insights into

the types of connected medical devices deployed, their unique behaviors, and associated security issues. The report also sheds light on

medical device environments, including network topology and segmentation, and identifies the most common security issues plaguing

connected medical devices, with suggested remedies for each.

All information, while accurate, has been anonymized to protect the privacy of participating healthcare organizations.

About This ReportThe information in this report has been derived from the analysis of connected medical device deployment at 50 hospitals and clinics in

the U.S. throughout 2017. The information was gathered via Zingbox IoT Guardian at each of the 50 locations, and is based on analysis of all

relevant network traffic. The study encompasses tens of thousands of connected medical devices.

The detection of each device type, network characteristics and topology, and other analysis performed in this study were conducted via

artificial intelligence (AI) and deep machine learning architected in the Zingbox IoT Guardian solution. Due to its out-of-band design, no

medical devices were altered in any way. No agents, clients, or other software were installed on any devices. The network traffic to and

from devices also remained unaltered. Also, no gateways or other inline devices were installed.

THREAT REPORT

4

Device DeploymentsThe first hurdle organizations face when

formulating a management and

security plan for connected medical

devices is the lack of accurate insight

into the assets that should be managed

or protected. Trying to overcome this

hurdle by relying on assumptions or

outdated data is often the primary

reason for the ineffectiveness of an

organization’s strategy.

It’s important to note that the

identification of a device’s IP address,

or even its underlying operating

system (OS), will have limited value for

connected medical devices. Knowing

the type of device — such as whether

it is an infusion pump or an imaging

system — offers much more relevant

insight for organizations.

MOST COMMON CONNECTED MEDICAL DEVICES

As illustrated in the graph above, close to half (46%) of all connected medical devices included in this study are infusion pumps. Based

on the sheer number of devices, infusion pumps represent the largest attack surface for cyber threats. The industry practice of device

segmentation, if not configured correctly, can have a disastrous effect on such large numbers of devices. Lack of segmentation can have

an unfortunate side effect of accelerating attacks and infections should a single device in the network be compromised.

The second most common medical devices included in this study are imaging systems. It is important to note that the category of imaging

systems not only includes X-ray, ultrasound, and magnetic resonance imaging (MRI) machines, but also image viewers, digital imaging and

communications (DICOM) workstations, and picture archiving and communications (PACS) servers. Many of these devices are based on

Windows OS and include apps such as web browsers, making them vulnerable to threats exploiting OS and application vulnerabilities.

CONNECTED MEDICAL DEVICES DEPLOYED

5

Device Applications and CommunicationsModern connected medical devices communicate with a wide range of servers and devices. The communications are used for a variety of

purposes, ranging from routine device management to transmissions of sensitive patient data. By analyzing a device’s network behavior

and configurations, the number and type of network applications are identified.

The number of network applications is an indication of how likely the device will be infected by other devices, as well as how likely it will

infect other devices, should it be compromised. Essentially, the number of network applications is a reflection of how “chatty” a device is.

DEVICE TYPE WITH THE MOST NETWORK APPLICATIONS

As illustrated in the graph at right, imaging

systems have the largest number of network

applications of all connected medical devices

included in this study, with an average of seven

network applications per device. The graph

also provides insight into the nature of the

applications. Of the seven network applications

typically found in imaging systems, an average

of three applications are used for

communications with devices outside the

organization. The majority of other devices

include applications that predominantly

communicate with other devices and servers

within the organization’s network.

External applications can pose a significant risk

to the organization. They can be used by malware or other attackers to breach the network. The inherent design of these applications

also limits the ability of firewalls or other inline devices to disable external communications without fully understanding its implications.

Analysis of perimeter security configurations, in conjunction with the requirements of the connected medical devices, should be

conducted on a regular basis and as new devices are put into service.

AVERAGE NUMBER OF APPLICATIONS PER DEVICE

THREAT REPORT

6

Use of Micro-SegmentationMicro-segmentation is considered a sound practice of limiting lateral infection or movement and, at the same time, enabling efficient

device management. By placing devices in Virtual LANs (VLANs), organizations can isolate like devices from other device types as well

as easily identify and locate devices in the network. A well-defined VLAN can also simplify the process of bringing new devices online.

The benefit of micro-segmentation can only be realized, however, if organizations follow a sound practice of implementing and

maintaining VLANs on a regular basis.

MEDICAL VLANS PER SITE

As shown in the graph at right, the majority of hospitals

in Zingbox’s study (88%) have fewer than 20 VLANs

containing medical devices — far too few VLANs to

gain the insights required to successfully implement

a micro-segmentation strategy at practically any sized

healthcare organization. This data illustrates the security

challenge that many healthcare providers face that

was discussed at the beginning of this report: without

insight into the types of devices in their networks, many

organizations cannot gain the necessary visibility into

their deployment of connected medical devices. Without

the appropriate tools, the best strategy available for

providers is to create a collection of IP addresses with no

contextual data to tell them apart.

The graph also accurately depicts the state of current

micro-segmentation strategies as two extreme ends

of the spectrum. Today, organizations are either not

implementing micro-segmentations, as is illustrated by the high percentage of providers with a low number of VLANs on the left side of

the graph, or they have resorted to the other extreme — over-segmenting the network, as is indicated by the gap between providers with

40-50 VLANS and 100+ VLANs. We expect more and more organizations to fill the void between these extremes as they implement tools

and processes to gain additional visibility into device context and use these insights for onboarding new devices.

USE OF MICRO-SEGMENTATION

7

The number of VLANs with medical devices provides a quantitative analysis of micro-segmentation. A successful micro-segmentation

strategy, however, must also include regular analysis of devices in the medical VLANs. This ensures that the VLANs are being used

efficiently to house only connected medical devices as they were intended.

DEVICE TYPES IN VLANS WITH MEDICAL DEVICES

As illustrated in the graph at right, medical

devices are not the predominant devices

found in medical VLANs. In fact, this

type makes up less than a quarter (23%)

of all devices. PCs make up the largest

device type in a typical medical VLAN at

43%. Aside from PCs, other non-medical

devices, such as printers, IP phones, and

surveillance cameras, can also be found in

medical VLANs.

This graph unfortunately illustrates

the ineffectiveness of today’s micro-

segmentation strategy. Such a wide

range of devices found in medical VLANs

promotes cross contamination and lateral

movement of infections.

The first course of action that organizations should take is to remove PCs from their medical VLANs, followed by tablets and then other

non-medical IoT devices, such as surveillance cameras and IP phones. The non-medical IoT devices should be moved to other non-medical

VLANs. Of course, in order to implement these changes, organizations must first gain visibility into their VLANs and be able to accurately

identify device types.

DEVICES IN MEDICAL VLANS

THREAT REPORT

8

Security IssuesThe unique characteristics of connected medical devices lead to security issues that differ from traditional IT devices. Because of industry

regulations and the risk that network downtimes pose to care facility operations, providers often cannot install on-device security clients

or updated security patches. This frequently leaves organizations blind to the security issues plaguing their medical devices and severely

limits their effectiveness to respond to threats. The most common course of action is to offline offending devices and attempt to contain

infection to other devices or networks. But enforcing proactive security of connected devices has not been possible in the past due to the

lack of security insight.

TYPES OF DEVICE SECURITY ISSUES

This graph Illustrates the various security issues found on connected medical devices across all types of devices included in Zingbox’s

study. Most notably, user practice issues make up 41% of all security issues. These include rogue applications and browser usage, including

risky Internet site visits. This large percentage is a reflection of a failure in network restriction and policy enforcement. Context-aware policy

enforcement should be put in place to restrict

downloads of rogue applications and limit

URL access to only the sites that are required

for a device’s operation.

Unfortunately, the use of outdated operating

systems and software (OS/SW) — which

comprises 33% of security issues and includes

running legacy OS, obsolete applications,

and unpatched firmware — is frequently

the norm wherever connected medical

devices are utilized. Despite the limited

options available to improve device security,

organizations can perform several measures.

Based on these findings, organizations

should apply tighter device policies enforcing

trusted behaviors. Applying a targeted micro-

segmentation strategy to devices particularly

vulnerable to outdated OS/SW can be an

effective security approach.

TYPES OF SECURITY ISSUES

9

Security Issues by Device TypeMany connected medical devices exhibit similar characteristics, which uniquely set them apart from traditional IT devices. However, each

medical device has unique characteristics of its own that influence its security posture. Hence, no two security strategies will be the same.

An organization’s connected medical device security strategy will be highly dependent on its device deployment topology.

To compare device deployment and device security issues, the deployment graph on page 4 of this report has been expanded to include

the breakdown of security issues specific to each device type.

DEVICE TYPE WITH THE MOST SECURITY ISSUES

As illustrated in the graph at right, imaging

systems have the most security issues. They

account for 51% of all security issues across tens

of thousands of devices included in this study.

Several characteristics of imaging systems

contribute to theirs being the most risky device

type in an organization’s inventory. Imaging

systems are often designed on commercial-

off-the-shelf (COTS) OS, are expected to have a

long lifespan (15-20 years), are very expensive to

replace, and often outlive the service agreement

from vendors as well as the COTS provider. The

distributed nature of imaging systems — which

consist of interconnected devices, servers,

and various nodes — also contributes to many

security issues. As noted earlier, imaging systems

also house the highest number of network

applications per device (see page 5).

DEVICE DEPLOYMENT AND SECURITY ISSUES BY DEVICE TYPE

THREAT REPORT

10

Further analysis of security issues reveals the most

common issues found for each device type.

Imaging systems exhibit all major categories

of security issues, with user practice issues the

most common at 28%.

While many device types suffer from outdated

OS or software, patient monitors experience

these issues 23% of the time, with their heavy

dependence on Windows OS.

With insights into primary security issues for

each device type, many recommendations

discussed in this report, from effective micro-

segmentation to improved contextual policy

enforcement, can be applied to improve overall

device security.

COMMON SECURITY ISSUES BY DEVICE TYPE

11

Conclusions and RecommendationsThe cyber threat landscape for the healthcare industry is undergoing a transformation. While stealthy theft of PHI remains a common

tactic, many hackers are changing their aims to target disruption of services. Despite efforts from regulatory bodies and organizations

to improve security solutions — such as the Food and Drug Administration (FDA)’s strategy to streamline processes and device

manufacturers’ focus on improving device updates — healthcare providers find themselves at a severe disadvantage. Most connected

medical devices cannot be protected via traditional IT means, and actionable steps based on accurate data remain elusive.

With advancements in AI and a focus on specific security solutions for Internet of Things (IoT) devices, healthcare providers can now gain

the visibility necessary to better protect and manage their devices and networks. They have real-time insights into the medical devices

deployed, network configuration and topology, and each devices’ unique security risks and operational efficiency.

Below are some recommendations that healthcare organizations should consider as they formulate strategies to protect and efficiently

manage their connected medical devices:

Real-Time Visibility into Device Deployment and Inventory – Most healthcare providers lack the visibility into the devices deployed

in their networks and the network topologies themselves. The first step to formulating an effective strategy is to base it on an accurate

inventory of devices and network configurations.

Control Rogue Applications and Communications – Inappropriate or unauthorized use of applications account for a large portion of

security issues identified across connected medical devices. Applying contextual enforcement policies based on individual device types

can greatly reduce the exposure to rogue applications and lateral movement of infection due to inappropriate use.

Develop Strategies for Top Vulnerabilities and Risks – No two healthcare organizations are alike. Hence, every organization should assess

their deployment and identify their biggest vulnerabilities and risks. They should then prioritize their action plans, beginning with their

largest area of exposure.

THREAT REPORT

12

About ZingboxEnabling the Internet of Trusted Things, Zingbox is the industry’s first and only IoT security solution provider to leverage the individual

personalities of IoT devices to provide accurate visibility and protection of an organization’s IoT assets. Zingbox IoT Guardian, a SaaS-based

security solution, leverages machine learning to discover IoT devices, assess risk, baseline normal behavior, detect anomalous activities, and

provide real-time remediation across an organization’s entire IoT footprint.

465 Fairchild Drive Suite 207

Mountain View CA 94043

info@Zingbox.com

Zingbox.com