Forescout has published its Connected Medical Device Security report. It is a look at the 3.3 million devices in the Forescout Device Cloud. Forescout says it shows that healthcare organisations are successfully upgrading outdated operating systems. They have reduced the number of soon-to-be unsupported versions of Windows devices to just 32%. That is down from 71% last year.
However, there is still a lot to be done to remove other vulnerabilities that exist in their systems. It says they have: “The potential to cause catastrophic damage and additional strain on critical services.”
Rich Orange, Regional Director, UK&I at Forescout said: “WannaCry crippled the NHS back in 2017 and outdated systems played a huge role in that, so it’s great to see that healthcare organisations are making the necessary improvements to their IT in order to keep their networks safe.
“That said, many are still struggling to protect and secure every connected thing on the network. It only takes one connected device to fall victim to a bad actor and ultimately take down an entire system, and that scenario doesn’t bear thinking about with the current pressure on healthcare services.”
What did Forescout find?
After analysing 3.3 million devices, Forescout found:
- Most healthcare networks have upgraded to Windows 10.
- 0.4% of devices (13,200) were still running Windows XP and Windows Server 2003.
- The use of VLANs to create segmentation has improved over 2019.
- Many network segments contain a mix of healthcare and personal devices—for example, computers and printers on the same VLAN as patient monitors and X-ray machines.
- Healthcare equipment with default passwords were on the same network as IT and IoT equipment creating a security risk.
- The HL7 protocol, which sends data in clear text, is being used to send data to public and private IP addresses. It creates a serious risk of a data breach.
- Applications with electronic health records were exposed to the public internet.
- There are dozens of proprietary protocols sending data around the networks. Many use no encryption and those that can do not enforce it.
- The lack of encryption across healthcare networks makes it easy to sniff traffic, change data and inject malware.
- The typical healthcare delivery organisation contains an average of 20,000 devices
Looking deeper into the problems
The report looks into those numbers above in great detail. In particular, it analysed the devices, network architectures and traffic protocols in use. What it found above is not uncommon to healthcare and can be applied to any business with a wide number of IoT and OT devices.
The mix of proprietary protocols and lack of data encryption is a major concern. Exacerbating that problem is that data, especially sensitive personal data, is being transmitted unencrypted. It is an issue that has to be addressed across the whole industry. If not, then regulators need to do more to investigate and take action where appropriate.
The increased use of network segmentation through VLANs is a positive move, but again, there are issues. Properly segmented, there should not be a mix of devices on the VLANs. That there are personal devices on the same VLANs as critical medical devices must be addressed. Additionally, the use of devices with default passwords on the same VLAN as IT devices gives a route into the network for attackers.
Enterprise Times: What does this mean?
Drawing on the details of over 3.3 million devices gives this report credibility. The remediations also make it a report that should provide a start point for IT departments. Despite this, the situation is far more positive than in 2019. Segmentation was low, the use of a supported operating system was low, and breach risk was high.
Orange talked about the need for better segmentation and better cyber hygiene in a recent Enterprise Times security podcast.
It is key to remember that this is not an isolated report. Other reports into the sector show that the issues Forescout has uncovered are endemic across healthcare. It is all too easy to blame this on stretched budgets and under-resourced IT departments.
However, there are many issues that suppliers need to address. Proprietary protocols sending data unencrypted is a major problem that has to be addressed across the whole industry. The use of default passwords and the availability of those online is another. It seems that the healthcare industry is still lagging a long way behind other IoT and OT sectors.
