Anyone who has watched the news in the last couple of years has likely heard about the Internet of Things (IoT). IoT is a catch-all term for any connected computing device that doesn’t fit into the traditional definition of a desktop, laptop, or server. These devices are typically made inexpensively and are designed to run as easily as possible with minimal setup. IoT devices are quickly growing in numbers to eclipse more traditional endpoint devices, with over 20 billion IoT devices connected in 2017, and that number is growing fast this year.
In mid-July, the National Intelligence Director, Dan Coats, as well as the Department of Homeland Security (DHS) and the United Kingdom’s equivalent agency, all released alarming warnings of targeted foreign attacks. Rob Joyce, a special assistant to the President and the cybersecurity coordinator for the National Security Council, said Russians in particular were seeking to exploit the increasing popularity of internet-connected devices around homes and businesses — the so-called internet of things — “the kind of thing you and I have in our homes.”
As IoT becomes more widespread across industries and around the globe, more people rely on these devices in their professional and personal lives without understanding the associated risks. This problem is not limited to any particular industry or group, as devices in the IoT category range from consumer electronics to industrial control systems for nuclear power plants. The healthcare industry is perfectly positioned to be maximally affected by the plethora of issues these small computing devices open their host networks to.
There are three major types of devices in the realm of IoT which will be covered in depth below. The first, and probably most common, is consumer and enterprise endpoint devices. This covers the majority of devices that can be purchased by anyone, and includes printers, smart speakers, VoIP phones, cameras, security systems, and digital assistants. The other two major sectors of the IoT market are Industrial Control Systems (ICS) – which automate things like power plants – and biomedical devices – which refers to connected medical equipment.
Consumer & Enterprise IoT
These devices include a litany of items, from printers to coffee pots, that use network connectivity as a means of automating various tasks, such as collating copies or brewing a pot of coffee. Unfortunately, consumer and enterprise IoT devices are all too often connected to the network with little consideration for security implications. In 2017, Symantec saw a small 13 percent increase in reported vulnerabilities along with a staggering 600 percent increase in attacks focused on IoT devices. Manufacturers have been scrambling to make as many connected devices as possible, and to find ways to make previously “dumb” devices (dumb describes non-connected devices) connect. This has led to a market saturated with inexpensive, often poorly made and secured devices that then end up on employee’s home network and even get plugged in at work. There have also been multiple occurrences of healthcare organizations intentionally putting digital assistants (like Alexa or Google’s assistant) in patient rooms.
These devices are designed to be “fool proof” and will work on almost any network by simply plugging them in and powering them on. Unfortunately, easy does not come anywhere near secure. These devices usually come with many needless services, ports, and protocols enabled by default that are both unnecessary and generally quite dangerous to leave running. All of this is on top of well-known default admin usernames and passwords making these devices prime for malicious attacks.
The good news is that despite that fact that these devices vary in functionality, complexity, cost, and security as much as they do, the methods for securing them are relatively straightforward and will easily apply to any type of connected devices. The first step is to change any default passwords for any accounts that came with the device. Beyond this, check for what ports and protocols are enabled and which are needed. For example, most printers come with the AppleTalk protocol enabled, however not even Apple-made devices need this protocol to work with a printer. There should be discussion forums online or official documentation available on almost any consumer device that will help to secure them. These steps can help keep home and enterprise networks safer as these prolific devices keep showing up on them.
Industrial Control Systems
Industrial Control Systems (ICS) are a major security issue for the U.S. and any organization that needs industrial grade control systems. This includes the obvious entities like utilities and power plants, but also the healthcare industry. Many healthcare organizations have large hospitals or even large campuses of buildings that require industrial grade controls for water, electricity, HVAC, and other site-wide infrastructure. All of these large-scale systems use Primary Logic Controllers (PLCs) that have network-connected switches, valves, sensors, and other simple controllers to help automate these large control systems.
The risks behind ICS affect many industries, for example the large Target breach that affected millions began with its HVAC vendor’s access to internal systems. That attack happened partly because of the ICS system’s weak security, and it was so successful because there was not segmentation between the PLCs running the HVAC systems and Target’s internal systems that contained sensitive data. In healthcare, ICS is widely used to maintain and monitor rooms that need to be positively or negatively pressurized, as well as for refrigerating medicine, vaccines, and lab samples. The failure or compromise of those systems could have serious patient safety repercussions.
One of the biggest problems ICS faces is that these systems are generally designed to be in service for decades, rather than the typical four-year lifecycle that more traditional endpoint devices like desktops and servers have. However, these are still connected devices, which means there are hundreds of thousands of PLCs running critical infrastructure for hospitals and entire municipalities that were designed and installed in the mid-1990s. One does need not be an expert in computer security to know that something considered secure in the 90s is not considered secured by today’s standards.
These devices are critical to keeping a facility running as they are responsible for keeping the lights on, climate control, access control and even emergency systems. Therefore, steps should be taken to protect these extremely fragile devices. Fortunately, the measures needed to secure ICS devices are pretty straight-forward and relatively universal. The most important step is to ensure that the network containing the ICS is completely segmented from both internal sensitive networks and the internet. This will effectively make this a closed system that can only be manipulated with physical access to the ICS console or control system.
While both consumer and industrial connected devices are growing fast in number, no industry has been in a more headlong rush to connect every device possible like the healthcare industry. Ever since the government decided to force all medical records to be digital, while complying with HIPAA regulations, back in the early part of this century, the industry has been working to connect all of its devices together. Unfortunately, this “goldrush” has not been very well regulated, just like the other IoT sectors, and has caused healthcare facilities and enterprises to have networks full of incredibly vulnerable, but critically important devices.
One of the most shining examples of this issue resides in what healthcare insiders refer to as the “imaging suite.” This is the room, wing, or floor of a medical facility that specifically houses all of the medical imaging equipment. For example, the imaging suite is where a patient gets an MRI or X-Ray. These devices are astronomically expensive, often tens of millions dollars, and are rarely owned or managed by the facility hosting the devices. But they are still connected to the facility’s intranet with access to all the sensitive systems, including Electronic Patient Health Information (ePHI). This has led to a perfect storm because the machine owners will not allow the local security or IT teams to patch or otherwise secure these devices. In that way, these devices are almost always using incredibly arcane software, have unpatched critical vulnerabilities, and are exceedingly difficult issues to remediate (that is if these issues are even known).
Similar to ICS and consumer devices, a wide range of devices falls into this category. It can include anything from an infusion pump or an air sensor to an FMRI machine, and the complexity varies just as much. Fortunately, these share another common trait with the other classes of devices: the methods for securing them are much simpler, and mirror what works for other IoT devices. The best and most critical step is ensuring that all medical devices are on their own segmented network that cannot access or be accessed by the internet or any internal sensitive systems. Beyond this it is important to closely work with manufacturers to ensure updates and secure configurations are applied to the devices.
Accelerated and directed efforts need to be made to shore up security on all IoT devices, especially those that control critical systems that could lead to a catastrophic event if hacked, like power plants, water facilities, and hospital functions. While these IoT devices vary in almost every possible aspect, the basic methods for securing them are the same. Ensure defaults have been changed, unnecessary protocols and services are disabled, and the devices access is limited to the minimum needed to function. In most healthcare organizations, the vast majority of IoT devices are managed by the Clinical Engineering or Biomedical Engineering departments, and even though these are not a security-focused function, security must be addressed regardless.
John Nye is Senior. Director of Cybersecurity Research & Communication for CynergisTek.