Connected medical devices are twice as likely to be vulnerable to the BlueKeep exploit than other devices on hospital networks, putting patients and staff at additional risk from cyber-attacks. According to figures in a new report from researchers at healthcare cybersecurity company CyberMDX, 22% of all Windows devices in a typical hospital are exposed to BlueKeep because they haven’t received the relevant patches. And when it comes to connected medical devices running on Windows, the figure rises to 45% – meaning almost half are vulnerable.
The first step for hospitals is to instrument their networks and identify connected medical devices. Without knowing what they have, defenders will not be able to protect their patients.
HIPAA and HI Trust and the prevalence of regulations aiming at curtailing the impact of such vulnerabilities, following the principles of early detection (monitoring and staying on top of latest security attacks). Hospitals have been hit harder due to the value of the Patient Healthcare Information contained in records. Due to the administrations enforcement of the regulatory agencies, it has caused hospitals to pay a very expensive catch up game. Electronic Medical Record (EMR) software required to be purchased, it has been cobbled together with antiquated systems and software. Every hospital in the last 14 years that I’ve worked with around the country all have legacy software or hardware. That leaves hospitals susceptible to vulnerabilities to bad actors which gain access into the patient records. It is widely known that Hospitals spend less than corporate America for the IT and or Cyber security. The mandates have complicated it and made it even more costly for healthcare industry.
Simple things such as prevention by patching regularly, using third parties to pen testing to detect your weaknesses before your enemy does (Second set of eyes). Keeping your policies and procedures for governance current and enforce them with in the organization.
It is safe to say that neither the government agencies, Healthcare, Financial and Corporate America at large is not prepared for the types of risks today, let alone aware of the constant evolving threat landscape. Simply, if you can see it, it doesn’t exist. Hospitals are more targeted due to the “dark web” paying the highest prices for this information. Healthcare is still woefully lacking in the area of risk management, establishing best practices as it relates to security and compliance with the regulations. Until the healthcare industry as a whole takes these risks seriously the terrain will remain fertile grounds for attacks. Evident by the article the weakness was identified a year ago, a patch was made available by Microsoft May 2019, yet the attack still happened.
Medical devices represent an especially hard challenge since these devices are now being connected to the network at all times, installed possibly in remote offices and clinics that lack resources to manage security and risk. FDA is the regulating body, but sufficiently does take into consideration the RF, Bluetooth and or wifi that communicate with these devices. It leaves them open to attack or penetration. Every device needs to be hardened with diligence and put protocols in place while being build or distributed. Even while put in use its essential for an ongoing basis, making these devices a difficult challenge to address, an easy target and serious risk vector.
Most seasoned C level executives are not technical and do no understand the risk. This needs to be communicated by layman terms and training needs to take place to create awareness. This will enhance and educate the C levels who will take risk management seriously. They will begine to understand that the organization needs to maintain an update list of all assets that have an IP address/can connect to the internet, have a plan for addressing risk holistically to include remotes sites, small clinics. They will start to educate all your staff on the risks and how to be vigilant.