All IoT connected devices carry a certain amount of security risk. In the wake of threats from IoT Botnets and WannaCry ransom ware attacks, the heat is officially on medical device manufacturers and hospitals to better protect their systems from cyber attacks.
Earlier this year, the Health Care Industry Cybersecurity (HCIC) Taskforce released a report on security risks to healthcare devices and challenges to securing connected medical devices. An important imperative in the report is increasing the security and resilience of Medical Devices and Health IT.
In a previous blog post, we spoke about how APIs are central in integrating workflow and support for evolving care models and IoT devices. Here are some of the questions CISOs are asking their team to analyze their risk in this evolving space.
Are you using old versions of Windows in your connected devices?
Many mission-critical medical systems are still using old or unpatched Windows versions. WannaCry exploited such a vulnerability on the network level in Windows-based systems. It can take days or even weeks to patch and test fixes in large hospitals that cannot afford downtime. Reduce the risk window – start immediately.
Are you using an old version of anti-virus and spam filters?
An older version may not detect the latest malware. Always upgrade to the latest releases of all security applications.
Do you have an inventory of Open Source components used in your software?
A vulnerability identified in Open Source components can be used to access your systems and data. The first step to mitigate this risk is discover and track Open Source components. Any high risk vulnerabilities found in these components should be patched immediately. Flexera’s 2017 Open Source Risk report shines a light on the state of open source management in health care and other software verticals.
Do you require a Bill of materials from your software suppliers/device manufacturers?
Enterprises, including hospitals, need a fresh set of security requirements for medical device suppliers. This includes requiring suppliers to adopt management practices that can inventory open source and third party software and publish a “bill of materials” that accounts for all hardware and software used in a device. Hospitals should require suppliers to patch when necessary.
Are you testing devices before you buy?
Test devices before signing the purchase order to make sure they meet standards. Again, request a bill of materials that accounts for all hardware and software components used in the device. Some suppliers restrict hospitals from making changes to their devices – like adding security patches. In other cases, security patches are no longer available. Always be aware of these restrictions and supplier policies around regular updates.
Do you back up your data?
Always have a secure copy of your data outside your facility, in case of a data breach.
Are you running programs to educate employees on company security policies?
Train and retrain. Make sure your teams are aware of the policies in place, and comply with best practices
Do your devices show up on Shodan as vulnerable to hackers?
Shodan.io helps you discover which of your devices are connected to the Internet, where they are located and who is using them.
WannaCry and the Apache Struts vulnerability won’t be the last of these kinds of attacks as attackers expand their knowledge and exploit our weaknesses. Ultimately, for a risk management solution to be effective, it needs appropriate investment in time, money, and education. A robust security plan needs to cover all aspects of security for you and your suppliers.
And if an attack does occur, don’t be caught unawares. An effective action plan needs to be in place. Here are some great resources to get started on the path to security.