Ventilators and respirators, on the front line against the respiratory symptoms often deadly for coronavirus patients, may seem like natural points of vulnerability for medical organizations, but the real threats come from the flood of high-tech IoT medical equipment that must be integrated into a network and properly secured from attack.
Under normal circumstances hospitals struggle to bring that equipment online, but with the added pressure of dealing with a pandemic medical IT staffs are being pushed to the brink, creating plenty of opportunities for mistakes as they support the efforts to save lives while risking being exposed to the virus themselves.
“A premium is now on speed,” said Greg Murphy, CEO of Order, a company that focuses on protecting connected medical devices. “New devices are coming in with technicians possibly not familiar with the make or the device’s security history so to have them just come in and get connected creates a great deal of risk.”
Murphy called the hospital IT teams heroic noting they too are on the front line working amid patients as they attempt to get equipment in place.
While Order has seen a spike of activity on the dark web, centered around respirators, fortunately the majority of the devices that are either in use or being shipped from national stockpiles are older models and by themselves not capable of being connected to a network and are designed to operate as stand-alone devices.
“For this reason, we have not seen instances of cybercriminals hacking these critical devices. However, each is connected to a monitor of some type that is online in some fashion so nurses and staff can remotely keep an eye on each patient,” said Terry Dunlap, chief strategy officer and co-founder of ReFirm Labs.
Murphy does not believe the large number of potentially unsecured ventilators coming online is a facility’s weak spot. For myriad reasons hospitals have historically had a tough time staying secure, so Murphy believes the quickest way to gain entry and do damage is through the thousands of other IoT devices found in a typical hospital that for one reason or another have been overlooked.
“If I were a bad guy I would go through the video surveillance cameras. There are many more of them representing a wider attack surface,” he said, adding even devices like connected vending machines would make an excellent entry point.
Jeff Horne, Ordr’s CSO, said his nightmare scenario is a ransomware attack as it potentially provides a massively disruptive force that a hospital cannot ignore. Many European hospitals are being hit with phishing attacks, essentially threat actors throwing out phishing emails in an attempt to gain access. Horne believes these are intended to target hospital admin staffs that are under work from home orders, may not be using a properly protected network and are out from under the watchful eyes of their company’s cybersecurity staff.
Source: SC Media