HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Study Uncovers Serious Holes in Healthcare Cybersecurity

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.

75 global healthcare deployments were analyzed for the study, which included more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs).

The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.

The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is also commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also highly prevalent.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

There has been a rapid deployment of a diverse range of connected medical devices such as infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that connect to healthcare networks has greatly increased the attack surface. Those devices have introduced considerable security risks which, in many cases, have not been effectively mitigated.

The sheer number of devices and different operating systems is causing major headaches for IT security teams. The study revealed 40% of deployments used more than 20 different operating systems, 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure, and 34% of healthcare deployments had more than 100 vendors connecting to the network. Many vendors are responsible for patching their systems and healthcare IT teams are unaware if those patches have been correctly applied.

While it is important to ensure that all devices are secured, first IT teams must identify all devices that connect to the network, which is a major challenge especially following mergers and acquisitions. There have been many cases of devices being used without the knowledge or oversight of the IT department.

The complexity of healthcare networks makes security difficult to manage and the variety of devices and operating systems makes patching a gargantuan task. It is often not possible to keep on top of patching and software updates. Acute care providers cannot easily take critical care systems offline without jeopardizing patient care, which means vulnerabilities often cannot be addressed. In some cases, medical devices cannot be patched to correct known vulnerabilities and legacy apps may not work on newer operating systems. It is not uncommon for vendor approval to be required before patches can be applied.

One of the solutions to improve security and decrease the attack surface is to segment networks and ensure vulnerable devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be implemented to ensure that devices and systems can only be accessed by individuals who need access to complete their day to day work duties. However, this best practice is not particularly evident in the data analyzed for the study. Only a small number of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.

Forescout researchers do concede that applying network segmentation best practices across the organization and managing and enforcing segmentation can be a challenge, but it is necessary to improve security. Forescount also recommends enabling agentless discovery of all devices, identifying and auto-classifying devices, and ensuring all devices are continuously monitored.

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.