A recent research paper from Trend Micro and HITRUST examined two neglected network risks in hospitals: exposed medical devices and supply chains. The report, Securing Connected Hospitals, published in April 2018, reviewed problems in both areas.
Healthcare systems were held hostage by WannaCry in May 2017. The ransomware attack painted a vivid picture of what a digital-borne threat can do to paralyze real-world processes, including actual hospital procedures such as life-saving surgeries. This IT security nightmare prompted discussions specific to the problem of securing connected hospitals. While patients get better and more efficient services when healthcare facilities adopt new technologies, add smart devices, and embrace new partnerships, the digital attack surface becomes broader as well.
They discovered exposed medical systems — including those that store medical-related images, healthcare software interfaces, and even misconfigured hospital networks — which should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices and systems can potentially be used by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnets, install ransomware, and so on.
Supply chain threats, likewise, are potential risks associated with suppliers of goods and services to healthcare organizations: A perpetrator can exfiltrate confidential/sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity. The healthcare industry is more dependent than ever on cloud-based systems, third-party service providers, and vendors in the supply chain. With that in mind, we examined the different entry points that can render a network susceptible to a supply chain attack, and the different kinds of attacks that can be deployed by cybercriminals.
After identifying exposure and supply chain risks, researchers performed a DREAD threat modeling exercise on healthcare networks in order to understand where, among various threats, the greatest risk lies.
Through this research, they sought to arm healthcare IT security teams with a broader perspective about the kinds of threats that they should defend their networks against. Most importantly, they have provided a set of actionable recommendations, technical and non-technical, to address exposure and supply chain risks. To gain more insight into threats to healthcare-related systems and security measures to address these threats, read the research paper, Securing Connected Hospitals. https://documents.trendmicro.com/assets/rpt/rpt-securing-connected-hospitals.pdf.