Connected Medical Device Security: A Deep Dive into Healthcare Networks

Healthcare delivery organizations (HDOs), such as hospitals and clinics, are complex organizations where a broad range of Information Technology (IT), Internet of medical things (IoMT), Operational Technology (OT) and Internet of Things (IoT) devices are increasingly interconnected.

The growing number and diversity of devices in HDOs have introduced new cybersecurity risks. The ability to compromise devices and networks and the possibility of monetizing patient data have led to an increase in the number and sophistication of cyberattacks targeting healthcare delivery organizations in recent years. As a result, 82% of U.S. hospitals report having a significant security incident in 2018 or 2019.

Changes in HDO networks in 12 months

In April 2019, Forescout Research Labs analyzed the security of healthcare delivery organizations using the Forescout Device Cloud and found major risks associated with the use of legacy systems and insufficient segmentation.

One year later, we applied a similar analysis to the most recent data in our Device Cloud, which led to the findings in this report of some overall improvements in patching and network segmentation. However, we still saw many examples of poorly segmented networks with a mix of personal and sensitive healthcare devices, including devices with default passwords, which is a top IoT cyber risk.

Given these results, we decided to closely analyze network traffic patterns in several large HDOs to better understand how lack of segmentation coupled with observed issues such as the use of insecure protocols and inappropriate external communications leads to increased cyber risk, an enlarged attack surface and difficult-to-secure networks.

The key findings of this report are the following:

1. Most healthcare networks have upgraded to Windows 10 over the past year and embraced some segmentation with the number of VLANs increasing when compared to 2019.
2. There are still many examples of network segmentation issues, including a mix of personal and medical devices in healthcare segments.
3. The analyzed healthcare delivery networks heavily used insecure protocols for both medical and non-medical network communications. We also found examples of sensitive external communication.
4. Based on the previous findings, we demonstrate some easy-to-accomplish attacks targeting point-of-care testing devices and patient monitors, some of the most commonly used IoMT devices in an HDO. Although similar issues have been demonstrated for a few well-known protocols, we extend this to lesser-known protocols that interconnect a multitude of devices.

We conclude by discussing effective strategies to reduce cybersecurity risk and defend healthcare networks from cyberattacks.