DoD and VA Health Networks Face Growing Threat From Medical-Device Vulnerabilities
When it comes to the financial impact of data breaches, the healthcare sector consistently tops the list of industries. Dollars and cents, however, represent only a fraction of the damage, especially when it comes to military healthcare networks and programs, which have an immediate and direct impact on national security.
The Military Health System (MHS) and the Department of Veterans Affairs (VA), which together provide service to upwards of 20 million veterans, members of the military and their families, are particularly attractive targets given attacks due to their massive scale, valuable data assets, and vital role in national security.
The risk is real and well documented. In July 2021, a U.S. Government Accountability Office report stated that the “lack of key cybersecurity management elements” at the VA is “concerning given that agencies’ systems are increasingly susceptible to the multitude of cyber-related threats that exist.”
Ransomware, in particular, has stolen the spotlight in recent years. It is only one of a growing number of insidious threat vectors. This summer, for example, Armis researchers identified a set of nine critical vulnerabilities in the leading solution for pneumatic tube systems (PTS) in North America – the Translogic PTS system that is used in over 80% of hospitals in North America. PTS devices play a crucial role in patient care and are utilized nearly 100 percent of the time.
The threat landscape in the medical sector – including the VA and DHA – is massive and expanding daily with exponential growth in connected medical devices – which can make up as much as three-quarters of the devices connected to a hospital’s network. They are also an attractive entry point into a healthcare organization’s network.
“We’re connecting devices we’ve never connected before,” said Lt. Col. Luigi Rao, MHS Genesis Liaison Officer at the U.S. Army, at a military health summit in July 2021. “With more and more episodes of ransomware – there’s growing understanding and appreciation of the need to protect not just the patient’s data, but also safeguard it from malicious attacks, whether ransomware or other nefarious purposes. Other state actors are highly interested in high ranking personnel and patients we’ve seen.”
Traditional healthcare networks lack security controls such as segmentation, resulting in virtually all devices being on a relatively flat network including vulnerable medical devices. Because vendors certify devices with very specific configuration and operational parameters, it’s very difficult for teams to secure these devices, whether by upgrading end-of-life operating systems, installing critical security patches, or installing agents such as asset management or endpoint security agents.
For example, let’s consider a patient monitoring system, a critical system that tracks and reports vitals and cannot experience performance issues. A typical patient monitoring system includes patient monitors, central workstations for keeping an eye on numerous patients from a single location, multiple tiers of servers, and network equipment provided by the vendor. A delay, disruption, or downtime of these devices can directly impact patient care if nurses have reduced or no visibility into monitoring of patient vitals or there is a lag in updating the vitals shown in the central workstations.
To account for this, vendors often place monitoring systems on their own dedicated networks behind vendor-provided gateways. This segments traffic into near real-time critical traffic from lesser critical traffic and completely segregates from the patient monitor traffic from the production traffic of the hospital in order to minimize any sort of disruption that may arise from things such as production network changes or latency issues. This segmentation, however, can completely isolate such devices from the hospital network and thus create an additional blind spot.
Traditional device vulnerability management programs use a scanner that actively and aggressively probes the network for assets and executes dated scanning methodology. While traditional scanners perform well against standard non-clinical endpoints, such as laptops and servers, these types of devices only account for a subset of the devices on a healthcare organization network.
As security teams try to expand the scope of existing vulnerability scanners to include medical devices, they face several challenges, including personnel resources. The resource implications go beyond the IT security and biomed teams to include clinical staff and can interrupt the clinical workflow and impeded patient care delivery. For medical devices that have a regular cadence for being scanned, information security personnel, biomed, and clinical staff must coordinate each time a scan is conducted to ensure the devices are online, not in clinical use for the duration of the scan, functional tested – a process that is not sustainable for a successful vulnerability management program.
New Threats Call for New Approach to Device Vulnerability Management
Healthcare organizations, including military healthcare programs and facilities, require a new approach to ensure the ability to assess risk continuously and unobtrusively and in a way that also encompasses contextual behavior of the devices, as well. In order to transition from the legacy approach to a continuous monitoring style methodology of vulnerability management, organizations need to leverage capabilities that exist in legacy platforms and add innovations with new approaches that enable:
Network behavior visibility
Healthcare organizations require visibility into everything in the enterprise airspace, including devices that communicate via Wi-Fi and many other peer-to-peer protocols that are invisible to traditional security tools. This capability enables visibility into potential network intrusion and data exfiltration points in the environment.
Real-time passive event-based vs. scheduled scanning
Healthcare organizations require real-time monitoring that does not impact device performance. An agentless passive architecture can create a foundation to automatically discover and support visibility into the behavior of every connected device in an environment – managed and unmanaged, medical and IT, wired and wireless, on or off the network, including IaaS environments and vendor managed network segments.
Baselined device behavioral telemetry
To effectively manage vulnerabilities, healthcare organization need to monitor a wide range of device characteristics. These metrics include manufacturer name, model, OS version, serial number, location, connections, FDA classification, and more. When organizations correlate valuable baseline data with real-time event-based scanning data, they can identify anomalous device behaviors that deviate from the normal profile of the device, such as MRI machines connecting to social media sites.
Utilizing these approaches allows for the creation of an architecture that takes into account not only the technology footprint but also the workflow impacts in an operational setting. It also provides security and operations teams with appropriate, contextualized data that is already prioritized. The end result is significant improvements in security and team efficiency for incident response and recovery operations.