While there are stark security concerns with connected medical devices, that’s not stopping their adoption. The benefits of connected devices are just too great. Connected medical devices help hospitals run more effectively, patients to track their care, and healthcare providers can keep continuous tabs on their patients.
As we covered in As we wrote in Healthcare Security: How To Deploy IoT Securely, the healthcare internet of things IoT market is expected to reach $543 billion by 2025 — at an annual growth rate of roughly 20%. Research firm Gartner pegs healthcare IoT growth in 2020 at 29%.
Still, as we’ve covered over the years in our posts Connected medical devices at risk, a top target for future malware attacks hit dozens of NHS hospitals and medical devices in the U.K. and a number of facilities in the U.S. Later that year, the U.S. and FDA Faced Medical Device Security Woes and began pressuring medical device manufacturers to build security into their product design.
When it comes to securing these devices, healthcare providers know what steps they must take, but unfortunately, they are reluctant to take them. According to a new report from security vendor Forescout, healthcare providers don't do what they need to do. Forescout analyzed multiple large healthcare delivery organizations' traffic to see the maturity of their networks and analyzed more than 3 million devices.
According to the report, 90% of segments with a medical device have a non-medical I.T. device, and 60% have non-medical IoT devices on their networks. The report also found clear-text exposure of patient info, default passwords being used.
The good news was researchers identified a decline in the percentage of endpoints that were running unsupported operating systems, from 71% in 2019 down to 32% this year. While that was the good news, there was plenty of bad news.
Perhaps the most important and unfortunate news was the lack of segmentation. The researchers found that all segments that contained a connected healthcare device, 60% contained devices not directly related to delivering care. We also observed that 90% of healthcare segments have a mix of healthcare devices and I.T. devices. These devices might contain vulnerable software or targeted malware, which can make other devices on the same segment susceptible to infection as well,” according to their statement.
Not surprisingly, the bane of effective security, poor credential management also reared itself in the research. The researchers found patient monitors and CT scanners secured with default credentials on the same segments as other IT and IoT equipment.
Unencrypted communications and poor protocol configurations also weighed heavy on the report. In most healthcare providers evaluated, researchers identified communications between public and private IP addresses, using the medical protocol (HL7) to send sensitive medical data, including patient PII, in the open. The researchers found other poorly configured protocols, including older versions of Transport Layer Security protocols. “More worryingly, we found instances of Telnet in over half of the HDOs. The clear-text, unencrypted Telnet protocol was designed in 1969 and has long-since been replaced by SSH,” the said.
Here are the recommendations from the report:
The healthcare industry is making tremendous changes, including significant investments into connected medical devices and IoT because of the improved efficiency and care delivery that can be achieved through advances in small microchips, wireless connectivity such as 5g, and data benefits analytics make the investments worthwhile. But not at the expense of security. And security vulnerabilities are a wound the industry better start suturing [chk] up soon.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!