Today, medical conditions are not the only ailments that healthcare facilities face on a daily basis. In the early days of the pandemic, the healthcare industry lacked the cyber maturity to deal with this period of tumult. The influx of patients and organizational response to the virus forced healthcare organizations to undergo a rapid digital transformation that significantly increased their attack surface and highlighted their lack of security infrastructure, weak incident response plans, and the shortage of cybersecurity professionals within the hospital IT department. This delay, in addition to the high market value of healthcare data, has made healthcare facilities a major target for hackers.
In the United States alone, from 2020 to 2021 the number of ransomware attacks on healthcare organizations increased from 34% to 61% according to The State of Ransomware in Healthcare 2022. However, the same study states that this year this type of cyber-attacks has increased by 94% compared to 2021, a trend that, as we can see, is steadily rising.
Most attacks against the healthcare sector target third-party service providers, who have extensive access rights to perform maintenance and upgrades to hospital equipment.
These service providers regularly connect to healthcare facilities’ OT environment, whether on the medical side – SCANNER, MRI, monitoring tools, ventilators, syringe pumps – or on the building side –energy management, elevator, air conditioning, medical fluids… And it is this heterogeneity together with the low-security level of the means of connection that strongly accentuates the associated cyber risks.
In the words of Gartner, Operational Technology (OT) is “hardware and software that detects or causes a change, through the direct monitoring and/or control of physical devices, processes, and events.”
In recent years, automation and digitization have accelerated in healthcare devices for the purposes of monitoring, tracking, and efficiency of care. While there is no doubt that all these devices using OT technology are helping the healthcare industry improve care, reduce costs, and increase efficiency, they are also significantly increasing the attack surface for organizations, according to Fortinet.
Hospitals today use cardiac pacemakers, insulin pumps, and other medical devices that run on software. These devices, which are not always kept up to date by the manufacturers, are based on obsolete operating systems, which generates multiple security breaches.
To begin with, many of these devices already have many potential vulnerabilities because their security is not built into the design. Data encryption, password management, and authentication are all missing features on this type of equipment.
Today, medical equipment is mainly deployed and maintained by manufacturers with biomedical engineers as local contacts. Competence is therefore primarily entrusted to manufacturers who need to be connected very frequently to maintain the associated services. This results in closed hardware and software infrastructures that are vulnerable in terms of cybersecurity.
Many manufacturers still rely on remote connection tools that are not very secure and are spread throughout the hospital. They thus bypass the security components implemented and expose the IT system. The introduction of targeted malware or ransomware can quickly lead to the complete paralysis of healthcare equipment. This means that protecting medical equipment is no longer just a matter of data loss or theft of sensitive information but can also pose a threat to patients’ lives.
A hacker who penetrates a healthcare network will necessarily seek to move inside the network to collect information and compromise other components such as databases or servers. Therefore, securing access for privileged users and controlling rights and bounce-back capabilities on target machines is critical.
For this reason, any healthcare facility looking to implement an OT solution must consider not only how to secure all devices, but also thoroughly examine the defenses it provides for all privileged resources beyond network devices.
To help healthcare organizations in their security approach, there are international standards, such as the MITRE Att&ck for ICS Framework or ISA/IEC 62443, that allow them to comply with existing regulations. Various rules agree that there is a growing need to secure Operational Technologies (OT), such as the European NIS Directive in 2016.
Given the expected requirements, implementing a Privilege Access Management (PAM) solution will be critical to ensuring the security of the connected medical devices and OT components that enable the building to function.
But the challenges of service continuity, manufacturer warranty, and OT equipment obsolescence require a more specific approach than traditional PAM systems offer. Both compatibilities with proprietary protocols and the inability to install agents on the machines handling medical devices can be barriers to the effective implementation of a Privilege Access Management solution.
A PAM solution must provide robust tools and implement strict policies to secure credentials for privileged accounts. Real-time recording of account activity and automated monitoring (as well as termination) of sessions helps prevent breaches and determine when a risk is detected. This is not only vital to maintaining the security of devices (and the networks to which they connect), but also crucial to meeting compliance requirements.
Security must be integrated into the deployment of medical devices and be accompanied by change management and user awareness, as attacks are becoming more frequent and their consequences more severe.
PAM4ALL, WALLIX’s unified privilege management solution, uses the principle of least privilege to ensure that all users, whether human or machine, can access only the minimum number of sensitive resources needed to perform a given task, at the right time and with the appropriate privilege level. This is called the Zero Trust approach.
The concept that the “users” of a system will not always necessarily be “people” is critical to ensuring the complete security of OT devices in the healthcare sector. This is because these devices may themselves have access to privileged resources and will need to be monitored and controlled in the same way as humans. By ensuring that system components are subject to the same PAM principles as humans (access only to necessary resources, under the right circumstances), IT administrators responsible for OT security will be able to eliminate potential threats posed by all connected devices in healthcare facilities.
In addition, the WALLIX PAM4ALL solution integrates security by design, controlling privileged users’ connections to systems and equipment.
Want to learn more about how to keep your healthcare organization safe from the challenges presented by industrial medical devices? Contact WALLIX’s teams of experts today!