The 10 riskiest Internet of Things devices in health care

As the healthcare industry becomes more digitally enabled, this digitalisation simultaneously exposes organisations to harmful cybersecurity risks. The healthcare industry is a relatively attractive industry for cybercriminals to target due to its critical nature as well as the high value of information held by healthcare organisations. Therefore, centralised control of all connected devices is key to successful data breach prevention.

Forescout has released The Enterprise of Things Security Report, which uncovered the 10 riskiest Internet of Things (IoT) devices in health care in 2020. This study by Forescout Research Labs is the most comprehensive study of its kind within the greater cybersecurity industry to date. It assessed the risk posture of more than eight million devices deployed across five vertical industries including health care.

Forescout measured the risk of a device to an organisation by aggregating vulnerabilities, exploitability, remediation effort, matching confidence, open ports, potential communications, business criticality and whether the device is managed.

Accordingly, the top 10 riskiest IoT device attack vectors in healthcare are:

1. Pneumatic tube system.
2. Uninterruptible power supply (UPS).
3. UL7 gateway.
4. Picture archiving and communications system (PACS) archive.
5. Radiotherapy system.
6. Sterilisation.
7. Physical access control.
8. Radiology workstation.
9. Heating, ventilation and air conditioning (HVAC) systems.
10. Programmable logic controller (PLC).

The adoption of IoT systems within the healthcare sector is growing and, with this transformation, so is the cybersecurity risk. The riskiest healthcare device is pneumatic tube systems. This IoT device, although often considered an ancient solution, is still widespread in hospitals. Pneumatic tube systems carry thousands of sensitive lab samples and prescription medicine daily.

Connected medical devices hold significant risk due to the potential impact if they’re compromised, both in terms of business continuity and patient harm. The ranking of the actual device type is less important than the fact that the risk presented is significant. Medical devices are connected to IT networks and can generate and exchange patient data with other systems such as My Health Record. This is evidenced by the rankings of HL7 gateways and PACS archive, ranked third and fourth respectively in the list of riskiest healthcare devices. Both devices use the two most important interoperability standards in health care, HL7 and DICOM, to interconnect medical devices and medical information systems.

Radiotherapy systems were the fifth-riskiest healthcare devices due to their configuration, rather than any known vulnerabilities. These devices are configured with many critical ports such as Telnet open, as well as their connectivity to other risky medical devices.

Alongside this reliance on new technologies and increased connectivity, there is an increase in the number and sophistication of vulnerabilities in medical devices and cyber attacks on hospitals. In many organisations, a significant number of out-of-date devices are connected to the corporate network, creating vulnerabilities that cybercriminals can take advantage of. The critical nature of life-supporting and life-saving devices creates a perfect target for cybercriminals to exploit and, if not prevented, can have devastating consequences for patients and organisations. Bad actors are using specialised tools such as Shodan to find exposed operational technology (OT) and IoT devices, and to help launch attacks.

Healthcare organisations should aim to reduce their risk and increase their network’s overall resilience by:

Increasing visibility: Healthcare organisations need visibility and control of all devices connected to the network. They must be able to continuously discover, classify and assess devices without agents or active techniques that could compromise business operations. This facilitates real-time risk management.

Segmenting networks: Dynamic network segmentation across the extended enterprise reduces the attack surface and regulatory risk.

Managing endpoints: Healthcare organisations need a single interface to manage every network-connected device and unified asset.

Implementing policy-based controls: Healthcare organisations need countermeasures to mitigate threats, incidents and compliance gaps.

Healthcare organisations are attractive and relatively easy targets for cybercriminals, creating an urgent need for these organisations to protect themselves, staff members and patients. They must implement tools that provide full visibility and control of the network, let them centrally manage the latest updates and patches to neutralise vulnerabilities, and segment the network to mitigate risk. Every healthcare organisation must be aware of the risks presented by the Enterprise of Things and take all possible steps to close the gaps and mitigate those risks.

Image credit: ©stock.adobe.com/au/NicoElNino