How providers can better protect IoT devices from ransomware
A slew of powerful cyberattacks this past year unveiled frightening vulnerabilities of some of the world’s most vital communications networks, and showed the potential risk that healthcare organizations will face from this point forward.
Chief among these was 2017’s WannaCry ransomware incident, which was the first cyberattack affecting medical device operability in the United States. The scope was even larger overseas, where government and business networks were downed entirely.
Scenarios like these are eye-opening for IT teams that are overwhelmed with preventing malware from entering their networks and stopping the theft of data. The threat landscape today is so massive, however, that these already lofty goals will eventually be altogether unattainable without a change in tactics and the adoption of new technologies.
It’s especially critical in the realm of healthcare, where the integration of new devices is arguably outpacing the adoption of cybersecurity best practices. The healthcare IoT device market is poised to top $400 billion globally by 2022, as these devices deliver the best hope for good health as the population ages and the prevalence of diseases associated with the elderly grows. But the connected devices that will collect data doctors need can just as easily be vulnerable to malware as laptops and tablets.
What did healthcare do wrong in 2017 that they can fix in 2018?
This past year’s ransomware attacks highlighted the industry’s strong need to deliver patching and remediation for medical device software in as close to real-time as possible. The best and easiest way to assure this is to make sure that all software is both up-to-date and supported by the software maker.
For instance, there was actually a security patch released by Microsoft for Windows 7 several months prior to the WannaCry 2.0 attack that would have delivered protections against such an attack. Many healthcare providers who were affected by the virus, however, were using medical devices that operated using outdated Windows versions that weren’t supported with regular updates. This is just one of the many details that, in hindsight, seemed like glaring omissions in leaving healthcare devices—and and, by extension, their networks—vulnerable to such an attack.
Add to that:
- Many medical devices rely on commercial software where it’s not clearly defined in vendor agreements who is responsible for post-market device cybersecurity—the manufacturer, vendor or the healthcare provider.
- Providers often depend too much on compensating control measures, such as layered network hardware and the use of virtual local area networks, to deliver security. As a result, many medical network environments become altogether too complex, making not just assuring cybersecurity but even implementing new devices extremely difficult without effective change management policies.
- Manufacturers aren’t always clued into when the operating systems their devices use are going to reach end of life, meaning even brand-new devices may feature unsupported software.
- Many healthcare providers simply don’t understand how extensive the threat landscape is and therefore are unaware of the need to seek out device security.
A lot of the pressure lies on healthcare IT to work more closely with their device vendors and manufacturers, along with other peers in the field, to stay on top of the latest threats and security best practices. An overall lack of awareness could leave providers noncompliant with basic industry standards, while non-secure devices could lose their validation from the Food and Drug Administration.
Making healthcare networks more manageable, however, is the best way to give IT a leg up in controlling not just how secure devices are, but how effective they are in helping patients lead a healthy life. Healthcare IT needs solutions that give them insight into the entirety of all network activity so that they can enforce even basic security policies, and across device types and platforms.
Important protective measures for IoT devices include:
- Restricting access in and out of the network—to the Internet—on devices and systems that handle sensitive information and operations.
- Only allowing required processes to run on these sensitive devices and systems, restricting nonessential applications or activities from being used.
- Monitoring unusual traffic, especially activity coming from non-standard or unfamiliar ports via exhaustive SSL decryption.
- Keeping an eye on all outgoing data and being ready to block unknown IP addresses automatically.
- Having a complete view of the provider’s network footprint and all the individuals using it, referencing active databases to ensure only approved devices and personnel are using network resources and only approved traffic crosses over to the Internet.
Rather than taking a compensating approach to device security that requires cumulative hardware, healthcare needs to seek solutions that simplify the network architecture to effectively monitor for anomalous traffic and potential threats. In doing so, IT will be better equipped to handle the inevitable deluge of new devices entering the realm of healthcare in the years to come.
The cyber threat landscape is only poised to grow more veracious over the course of 2018, and the healthcare industry needs to beef up their defenses in kind if digital transformation in this sector is going to deliver the healthy future for humanity that it promises.