Healthcare organisations are learning from previous mistakes when it comes to cyber security – but some connected medical devices are still plagued by “glaring vulnerabilities”, according to a report.
Research conducted by US software company Forescout Technologies – which analysed information from 3.3 million devices – found the industry is less susceptible to cyber-attacks than it was a year ago.
This is largely thanks to many healthcare providers upgrading their outdated systems to meet modern cyber security needs, with just 32% of devices in Forescout’s sample using soon-to-be unsupported operating systems, such as Windows 7, compared to 71% in 2019.
Despite this, some 0.4% of medical devices are being run on entirely unsupported operating systems like Windows XP and Windows Server 2003.
This figure also stood at 0.4% last year, indicating that some of the same issues surrounding medical device cyber security remain prevalent in 2020, and Forescout anticipates the problem of these ‘legacy’ operating systems will therefore continue in the future.
Rich Orange, regional director, UK&I at Forescout, says: “The WannaCry attack crippled the NHS back in 2017 and outdated systems played a huge role in that, so it’s great to see that healthcare organisations are making the necessary improvements to their IT in order to keep their networks safe.
“That said, many are still struggling to protect and secure every connected thing on the network.
“It only takes one connected device to fall victim to a bad actor and ultimately take down an entire system, and that scenario doesn’t bear thinking about with the current pressure on healthcare services.
“To avoid an attack that could have the same impact as that of WannaCry, organisations need to have full situational awareness of their network.
“This, coupled with effective segmentation to stop attackers moving laterally through the network, will help prevent something as important as medical data being exploited or critical public services being taken offline.”
Forescout’s connected medical devices security report
California-based software firm Forescout was founded in 2000, and specialises in visibility and control surrounding connected IT devices, and devices in the Internet of Things (IoT).
Its recent Connected Medical Device Security report analysed detailed information from the 3.3 million devices – across hundreds of healthcare networks – contained within its Forescout Device Cloud.
The company says the average facility it observed in its 2020 study was an inpatient hospital, typically featuring about 20,000 individual devices – many of which exchange highly sensitive patient data and records on a daily basis, and are often central to healthcare delivery.
The types of devices observed in Forescout’s study included patient monitoring systems, medical imaging equipment, surgical applications, infusion pumps and telemedicine technologies.
In April 2019, the software company released a similar report – and its overarching findings included “major risks” associated with the use of outdated operating systems, and insufficient network segmentation.
Improvements over the past year
As Forescout points out, one of the key positive findings from its 2020 report is the fact that many healthcare providers have updated operating systems that were set to become unsupported in the near-future.
The percentage of devices running Windows operating systems that no longer conformed to the expected cyber security standards earlier this year – due to Microsoft ending support for Windows 7, Windows 2008 and Windows Mobile on 14 January – have decreased from 71% to 32%.
Forescout says this reduction is “good news”, adding that it indicates Microsoft ending support for these outdated systems had a “positive effect” with many healthcare providers finally deciding to upgrade their platforms.
Also, the proportion of devices running Windows operating systems that will still be supported in more than one year’s time increased from 29% in 2019 to 68%, indicating that a greater number of healthcare networks are “taking steps in the right direction” when it comes to meeting current cyber security needs.
Persistent issues with unsupported systems
Forescout’s report also found, however, that the percentage of devices running entirely unsupported operating systems – including the now-obsolete Windows XP and Windows Server 2003 – has not changed, remaining constant at 0.4% compared to 2019.
This may not sound like a huge amount but, according to Forescout, still poses a significant risk due to these devices often being “the most critical” within a given healthcare organisation.
Many of the devices running these legacy systems were made and installed before manufacturers had a full understanding of the challenges surrounding cyber security and privacy.
As well as stating that it therefore expects issues with these obsolete operating systems to continue in the future, Forescout reiterated a point made in its 2019 report – which is that many networks continue to use these systems because updates are costly, and the downtime associated with upgrading them is “not acceptable” for medical devices deployed in critical care.
Because this problem “isn’t going away any time soon”, the company’s suggested solution for protecting medical devices in hospitals is network segmentation.
Network segmentation
Network segmentation involves dividing a network into multiple sections so that each can act as its own, smaller subnetwork – giving its administrators greater control over the flow of traffic between them.
Forescout’s 2020 report found that instances of this technique are on the rise when it comes to medical devices, with deployments of a single VLAN (virtual local area network) dropping “sharply” from 22% in 2019 to 9% this year, and deployments of more than 25 VLANs increasing too.
However, it also found that many of the healthcare networks doing this are not implementing network segmentation correctly, as computers, printers and even personal devices like smartphones are often present in the same VLAN as critical healthcare equipment, such as patient monitors and X-Ray machines.
If these vulnerable, non-healthcare devices are subject to a cyber-attack, it could allow hackers to “move laterally” through the segmented network and take advantage of sensitive medical devices.
Alongside these examples of poorly-segmented networks featuring a mix of personal devices and sensitive healthcare applications, Forescout also observed several instances of default passwords being used – which is a “top IoT cyber security risk”.
Forescout concluded its 2020 report by stating that, along with “complete visibility” regarding all connected medical devices, implementing network segmentation correctly is one of the most fundamental ways healthcare networks can reduce the likelihood, and impact, of cyber security breaches.