Share
))
HBO and The Ringer's Bill Simmons hosts the most downloaded sports podcast of all time, with a rotating crew of celebrities, athletes, and media staples, as well as mainstays like Cousin Sal, Joe House, and a slew of other friends and family members who always happen to be suspiciously available.
…
continue reading
Manage episode 521170848 series 3523631
Content provided by CitiusTech. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by CitiusTech or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://staging.podcastplayer.com/legal.
(0:07 - 0:55)
Welcome to today's episode, where we dive into one of the most pressing and often overlooked
challenges in healthcare. Cybersecurity risks stemming from unmonitored and unprotected
network-connected medical and other devices. Hospitals today rely on thousands of connected
devices, but 87% of them go unmonitored.
And with over 53% found to contain critical risks, the cybersecurity threat is more than just
digital, it's clinical. These vulnerabilities don't just threaten data, they can directly impact patient
safety and hospital operations. To help us understand what's really happening behind the
scenes and what healthcare organizations can do about it, we are joined by two experts deeply
embedded in the healthcare cybersecurity.
(0:56 - 1:56)
Vipin Varma, SVP and head of cybersecurity practice at Sidious Tech, with decades of experience
in protecting healthcare systems. And Leon Lerman, SVP and GM of Axonius Healthcare, a
company focused on securing healthcare, IoT and medical devices. Welcome to the podcast,
Leon and Vipin.
Thank you. Great to be here. It's great to have you.
This is quite a big topic that we have today that we're going to dive into deeper and really
looking forward to our conversation today. I think it's important to start with the big picture.
Why are healthcare organizations increasingly becoming prime targets for cyber attacks
compared to any other industry? So let me start and maybe Leon will have a lot more specialist
input.
So see, the attackers go after where they can get maximum benefit, right? So that's the
standard thing. No one will go after places where they cannot get much from. And today's
currency is data.
(1:57 - 3:25)
And some of the most critical data is held by the healthcare organizations. It is not just data
that can be duplicated. This is data that is very personal and unduplicatable, if I can call it that.
That's not really a term, but you know, so personal health records, your parameters, any and
everything concerned with a human is something that is very personal to them. And it is
something that is, you know, something that you cannot duplicate again, etc. So availability of
such data allows attackers to actually sell such data on the internet.
And therefore, you know, everyone is all of them are after profits or after impact. So that profit
aspect is one thing, the data is one part of it. The second major thing here is that healthcare
organizations are often small.
And the way that in the US healthcare system, the hospitals, and even the CECO system that
surrounds them, their medtech players and peers, etc. Very often they are, you know, smaller
or medium sized enterprises and therefore, they have a certain budget constraints and focus
constraints about how they can protect themselves. So it is not always like a large bank, which
is able to better protect itself.
(3:26 - 4:07)
Therefore, you will have, you know, them trying to protect themselves using a limited budget,
but more so also, most of their focus is very correctly on patient care. So you will find that they
are more vulnerable, they have more openings. The third major aspect is that unlike a lot of
other industries, the healthcare industry very specifically has a large volume of, of course,
people, you know, whether it is people who are servicing the patients, or the patients
themselves, or the third parties which are providing services.
(4:07 - 10:04)
So there is a huge ecosystem. But more than that, if you look at just the systems that are
deployed to run healthcare, there is a tremendous variety of the systems and that is something
we are going to talk about today also. So all of this kind of leads healthcare to be one of the
prime targets for a lot of the bad actors out there.
And I am sure Leon will come up with a lot more, you know, specificity about how many attacks
have taken place about how many organizations have kind of, you know, been impacted. But
there is a large number of organizations that have been impacted. And this is only increasing,
the type of attacks, the impact of the attacks has only increased.
And the last point I wanted to cover is that healthcare is a very interconnected ecosystem,
unlike a lot of other ecosystems. So it is not as if an attack on a small player is going to remain
isolated. So very often, and this came up when the change healthcare thing happened, people
said, oh, payment system is not going to impact patient care, but it directly impacted patient
care.
And that is where people, a lot of people got a wake up call that attack, I mean, and that is a
very visible attack, that is why I took the name. There are lots of small attacks, which are equally
impactful. But here is where people realize that, you know, an indirect third party attack could
also greatly impact critical care for patients.
So I will just leave it at that. And maybe Leon can add more to it. Yeah, I agree.
I agree with Vipin very much. Just to add a couple of examples on the first point of the value.
One of the assets that I think makes healthcare the number one target is the EPHI, the
electronic patient health records.
And one of the issues with them is that they're not cancelable, right? So if a hacker steals a
credit card and you find out about it, you just call your bank and you cancel it. But if they steal
your social security number or any information about your medical record, that there's very
little you can do about it, right? And then when they go on the black market and they sell it,
then the value of the medical record is actually 10 times greater than the value of a credit card
because of those facts, which make it a lot more beneficial financially for attackers to continue
doing so. And also, as Vipin said, attackers tend to go where it's easy, as we say here, the lowest
hanging fruit, right? And unfortunately in healthcare, because the network is usually flat and
interconnected, it's quite easy for them to get in and laterally move throughout the network.
And also with the proliferation of ransomware attacks, we're seeing that over 50% of the
healthcare organizations actually pay the ransom because of the clinical implications, because a
lot of those devices, like an MRI machine, we had a customer that had a ransomware attack on
an MRI machine and they could not use the MRI machine. And every minute that the MRI
machine is not working, the hospital is losing thousands of dollars. So they will pay the ransom
to unlock, and we're seeing rates much higher than in other organizations.
So attackers, seeing they're being successful, so they continue doubling down on their efforts,
unfortunately. That's incredibly eye-opening. And just explaining it as you both have, it really
makes it clear as to why healthcare would be such a prime target.
Absolutely. I want to dig in a little bit more into something you were just talking about, Leon.
When we're talking about cybersecurity within hospitals and the devices, what kind of devices
are we referring to beyond MRI machines? What is connected and why does that matter? So I
think today almost everything is connected, especially when COVID happened, there was even a
further acceleration as hospitals need to give access to doctors that connect remotely and
nurses that connect remotely.
And this is the IOT advancement. So it's devices like IV pumps, patient monitors, hospital beds.
On the OT side, there's devices like elevators, smart robots that operate hospitals, even a Tesla.
We typically in our deployments, we see a Tesla that is connected to the hospital's network
because it's parked in the garage, connects to the network of the hospital, door locks,
thermostats. Everything today is smart and connected. And of course, this significantly expands
the attack surface because today, typically those devices are more weakened.
You typically cannot have endpoint security installed on them. For example, in a lot of the
clinical devices, the manufacturer very explicitly says that if you install any sort of antivirus or
EDR solution on those devices, they will revoke or void the warranty because it could interfere
with the clinical function potentially and they don't want to take any responsibility over it. So by
definition, you cannot protect them the same way you can protect more of a standard IT device,
like a desktop or a laptop.
(10:05 - 11:28)
Add to that, that a lot of those devices are running legacy and obsolete operating systems. For
example, if you buy an MRI machine, you pay maybe several millions of dollars. As a hospital,
you want to see the ROI, return of investment on this.
So you want to keep this device for multiple years and the update pace of those devices is very
limited in comparison to other devices because of the clinical setting and all the different
interactions and vendors are being very careful and very slow usually on updating those
devices. So you end up seeing devices still running Windows XP, Windows 95, Windows 3.11
that hospitals keep because they paid a lot of money and the devices work and security is not
always top of mind in comparison to the clinical value they can get out of the device. Yeah.
Can you share, dig a little bit deeper and maybe share some more real world examples of how
the vulnerability in one of these devices could really lead to some serious consequences? Yes.
So there are some examples of attacks that happened. I will not mention any specific hospital
names just out of respect to those organizations, but I will talk about things that were
published.
(11:29 - 12:58)
So there was an attack in Germany where a patient died, unfortunately. And it was an attack on
the, a ransomware attack on the operation rooms. And essentially all the devices, a big portion
of the devices in the operation rooms were impacted.
Those were the monitors, the patient monitors. It was the different imaging systems that they
had there. And essentially the operations room could not operate.
And there was a woman that she had to take an operation, right? Those things have a very
urgent, obviously, way of like, people need to take operations urgently sometimes. And once,
because the operation room was not working at that point, they had to divert her to a different
hospital, which was like 45 minutes away. And unfortunately she died on her way to the
hospital.
So some people think that a cyber attack, it needs to be like a Netflix scenario where somebody
hacks into a device and uses this device to cause harm. But in many cases, because in a
hospital, every minute counts. So even if you create service disruption and a delay in the
operation, it could cause fatalities.
(13:00 - 18:01)
So this is one example. And maybe another quick example I will mention, it's a research that
actually we did as a company based on tag robots. Those are medical robots that are being
used in the hospital.
Essentially they clean the linen, they deliver medications, and are becoming very, very common
recently, especially in the U.S., but also in Europe and in APEC. And we found that through
vulnerabilities on those robots, you can remotely connect to them, essentially take pictures of,
they have a camera, you can take pictures of the hospital remotely without being in the
hospital. You can jam those robots to use specific elevators, so you can block elevators, and you
can basically control them.
So you can move the robot to any patient in any room. So yeah, pretty, pretty scary stuff. But
unfortunately, that's the reality today with the connected ecosystem.
Correct. And just to put some numbers, Laurel, sorry, if I can just add to what Leon just said,
because people think that, you know, there will be a few devices here and there. And, you
know, from an impact standpoint, you know, what is our ability to get to these devices and kind
of compromise them so that you can launch further attack? If you take a, of course, he talked of
imaging systems, and these are the big systems.
And yes, there will be a lesser number of systems. There are lab and diagnostic equipments.
There is the whole HVAC thing.
If you remember this whole discussion about the, when we, if you take our minds back 10, 12
years back, it started with target being attacked through third party, through HVAC systems,
security systems. All of that is there. But just to give you an idea of the number of devices that
are there in a hospital bed today, a normal bed would have at least 15 to 20 devices and an ICU
bed is upwards of 30 devices and about at least 80 to 90% of these devices are network
connected.
So what it means is if you have a thousand bed hospital, please look at that multiplier. The
second thing is like Leon spoke about, most of these devices are, you know, if I can say custom
or old operating systems, and they are, you know, I will not say they are easily compromisable,
but they are more, you know, if I can say easy to compromise because they are very often
legacy. So the point what I am trying to make here is, it is not just, of course, we talked about
the impact and the human cost and the cost not just a disruption, you know, the inavailability,
you know, what Leon was talking about, but it is also the, from a point of view of, you know, the
attack surface.
What is the ease of reaching these devices? That also is actually exponentially increased.
Because like I said, you know, 30 odd devices per bed, thousand beds, that is the number of
devices you have. And they come from a plethora of different sources.
And therefore, there is the need to actually inventorize and the need to be able to see what is
the status that we have of vulnerabilities and risk today, and to be able to take appropriate
action to monitor and actually fix them. That is the thing I just wanted to make sure that we
really, you know, also touch upon while some one or two things become sensational. It is also
this whole opening up of the innards of the network through these.
See, in a typical enterprise today, you go to a financial enterprise, you go to even a healthcare
enterprise, most of the critical systems and data is all on the cloud, locked away, there are lots
of multiple layers of protection put in. But what is most easily reachable are the networks at the
floor. You have like Leon mentioned, you know, a Tesla driving up into the garage of a hospital
connects onto the network there.
So, they are the most easily reachable, they are very often totally flat. You have a lot of in and
out, I talked about so many different actors, you know, doctors coming in from outside, nurses,
patients coming in, visitors coming in. So, there is a lot of inflow and outflow, those networks
are very porous, and all these devices are without protection on a porous network.
And that is why we feel that the risk is very high from this one particular vector. I just wanted to
add a couple of these things. And it is very important that you did, I am glad you did, because
between those examples that Leon was giving and that additional information is really driving
home the importance of how, as you said, porous and how vulnerable healthcare organizations
are and how critical that is.
(18:02 - 20:27)
And Vipin, I'd like to follow up with you. Are there any cultural or organizational barriers that
make the managing of medical device risks much more difficult? Right, see, I will begin, I'll put
that in two parts. The first part is taking over from what I just talked about, which is to say that,
you know, when you ask Leon the question, how many attacks or what kind of attacks have
taken place and all that, invariably, the attacks that come out, you know, and become
sensational in the news are some of the larger ones that have involved a lot of money and all
that.
However, there are lots of attacks happening on regular basis, which we are not really aware
about, which we do not come into public consciousness. So, I am just saying there is a lot of
basis for attack there. And the reason I am talking about this from an organizational, if I can
say, culture and mindset perspective also, is that we often gravitate our attention to something
which is top of mind, which is sensational, which has kind of hit the headlines, if I can call it in
that way.
But very often, at an organizational level, attention is not paid to make sure that every nut and
bolt is actually locked down. So, one part of the, you know, I am not saying the problem, but
one part of the reason why we find that this is only now coming into prominence is because,
you know, there have not been that very large scale attacks because, you know, the attacks
have been quiet or small. And therefore, they very often go under the radar and therefore,
people feel that this is something that I can control.
And very often, like I talk from a risk perspective, very often, the here is the where the risk is the
highest. So, that is one thing. The second thing is, very correctly, most organizations, most
healthcare organizations, most providers, hospitals, labs, various people, they are focused on
their primary mission.
Primary mission being saving patients lives, providing care. And therefore, a lot of focus goes
towards a lot of specifically from a technology perspective, a transformation perspective,
infusion of new systems, AI, etc. The aim is to see how can I impact and improve patient care.
(20:28 - 22:48)
What we need to bring a culture more and more is to make sure that the, you know, we can do
it sustainably and in a manner which is secure. That is the second thing. The third thing from a
culture standpoint also is like I talked about most of these organizations are small.
And what that will mean is most people in the IT department, if I can call it that or the technical
support are typically multitasked. They may in some lot of cases not be specialists. They may
not have the deep background in cybersecurity that lot of people, you know, lot of the teams in
the larger organizations have.
So, very often, they may not fully appreciate and understand what is the state of art and what
are the requirements very specifically from a cybersecurity perspective. So, that creates an
environment where the right things, where the intentions are good, but very often the right
things do not end up getting done. That is kind of what I want to say.
And I will add from an organizational perspective. When we talk about medical devices, those
are not typically devices that IT teams are aware of. In hospitals, we typically see a
collaboration.
There is a team called Biomed or HTM, Healthcare Technology Management. They are usually
tasked with maintaining the devices, make sure they're up to date, break, fix. And in many
cases, they're also being told, okay, you're now responsible for the security of those devices
because IT is only doing the IT devices, right? Desktops, laptops.
But they've never done security. So, there needs to be a collaboration between those two teams
to effectively secure them, especially if you need to take any device-level actions like changing a
configuration, changing a password. Those are not managed devices by IT.
So, that creates a complexity, especially with a lot of those organizations typically report to
different departments. We're now seeing a trend that in some cases Biomed or HTM also
reports under IT, and that creates a stronger collaboration. But where it's not, those are very
disjointed teams.
(22:48 - 26:23)
And that, of course, creates a challenge to effectively protect the environment. And that is a
very important point that Leon just made about who in the organization looks after that. And
I'd just like to expand it one step further.
Since these devices are from a lot of different manufacturers, OEMs, in many cases, when I
discuss with the actual stakeholders on ground, they feel that the OEMs, and a lot of cases
there is, you know, these devices are being maintained by some of those OEMs directly also. So,
they feel that the security of these devices also would have been looked after or will be looked
after by them. And we talked about legacy earlier, we talked about, you know, various things.
So, very often these devices are not fully protected. Secondly, what Leon just brought about,
which is that they are also unprotected because the way they are positioned on a network. And
it is not just enough to protect at a device level, you need to make sure that they are being able
to be protected the way they are deployed.
And very often the actual solution lies in being able to segment networks, to make them less
flat, to isolate devices, things like that, which is to be done at the hospital level. And like he was
saying, right, there is an ownership gap between the OEM, of course, that is a separate part,
but even within the hospital, the IT and the non-IT, you know, the technical support, because
who owns the network is normally the IT, and the devices are owned by the others. And
therefore, this whole ecosystem doesn't work as effectively.
Both excellent points, really. And we've spent this time talking about the risks and the
implications from said risks. So, let's talk about some solutions.
Leon, what are some practical steps that healthcare leaders and staff can take to better protect
their systems and patients from these risks, especially, as you mentioned earlier, when we're
dealing with these legacy systems that can't be patched or easily updated because of those
manufacturer constraints? Yes. So, a couple of things. The first one is still a lot of organizations,
provider organizations, have this mindset that this is not necessarily my problem.
And they say, hey, those are devices by the manufacturers, and the manufacturers will need to
solve this, and they need to do a better job, which they do. But it's definitely a joint
responsibility. And if there is a cyber attack in the hospital, at the end of the day, the hospital is
responsible.
Responsible for the patients, responsible for their data, and for their safety. So, it is their
responsibility. The second thing is that there are solutions, dedicated solutions for medical and
IoT solutions.
We offer, we're one of the companies that is offering this type of a solution that is network-
based, that doesn't touch the devices. As you correctly mentioned, a lot of them, you cannot
touch them, you cannot patch them. And for clinical reasons and for legacy reasons, some
devices, even if you try and scan them, like there's a lot of vulnerability scanners, they can crash
completely just from doing a basic scan of the network.
(26:25 - 26:57)
So, providing a passive solution that can monitor all of those unique device protocols. For
example, we cover over 200 unique legacy device protocols, like HL7 and DICOM. The reason
this is important, because understanding those protocols really allow you to understand the
devices and understand their communications, their behavior, what they look like on the
network, and what is good versus anomalous in their communication.
(26:58 - 29:40)
And then, be able to do three things. The first one, and the biggest challenge I'm hearing from
CIOs and CISOs in hospitals, is they say we don't have visibility. I ask them the question, how
many devices do you have? And usually they say something like many, which is, of course, not
sufficient to protect this environment.
So, providing full visibility and discovering all the devices and making sure you have this
inventory or asset management of what you have is the first step. The second step is
understanding the vulnerabilities. As I think was mentioned by you Laurel in the beginning,
over 53% of the devices have at least one critical vulnerability.
So, it's very important to understand those vulnerabilities and correctly prioritize them to the
most critical ones, to patient safety, service availability, and data confidentiality. And more
importantly, once you have those vulnerabilities, take action, right? Just knowing about it
doesn't solve the problem. In terms of taking action, we found that the most popular action to
take is network segmentation, because again, you cannot touch the devices, the patch may not
be available.
And by doing network segmentation, essentially you're limiting the communication of the
device only to the must-have communication. So, all the rest not needed communication will be
blocked. And to do that, you need to understand the environment well, you need to understand
the ecosystem, who every single device needs to communicate with, in what way, at what time.
And there are solutions that are able to do that very effectively today. And this is why this focus
on healthcare and on medical and IoT devices is very important. The last piece of the solution is
around attack detection.
We mentioned that ransomware attacks is very, very common because they're so successful.
And because there's such a big number of vulnerabilities in a hospital, it's not practical in a
short period of time to just cover everything. So, there always will be a vulnerability.
So, you don't just need the proactive approach of taking care of the risk, you also need the
reactive approach of assuming you will be attacked and make sure you have the tools to see
the attack, detect it, respond to it and stop it before any damage is done. So, all those three
pillars are available today. And I think every single hospital, every single provider, organization
needs to have something like that to make sure that they are covered when such an attack will
happen.
(29:42 - 29:59)
And just to summarize what he just said, so therefore know what you're looking to protect. So,
have a method or a means of being able to identify, detect, classify and create a threat profile
for all the devices that you have, step one.
Welcome to today's episode, where we dive into one of the most pressing and often overlooked
challenges in healthcare. Cybersecurity risks stemming from unmonitored and unprotected
network-connected medical and other devices. Hospitals today rely on thousands of connected
devices, but 87% of them go unmonitored.
And with over 53% found to contain critical risks, the cybersecurity threat is more than just
digital, it's clinical. These vulnerabilities don't just threaten data, they can directly impact patient
safety and hospital operations. To help us understand what's really happening behind the
scenes and what healthcare organizations can do about it, we are joined by two experts deeply
embedded in the healthcare cybersecurity.
(0:56 - 1:56)
Vipin Varma, SVP and head of cybersecurity practice at Sidious Tech, with decades of experience
in protecting healthcare systems. And Leon Lerman, SVP and GM of Axonius Healthcare, a
company focused on securing healthcare, IoT and medical devices. Welcome to the podcast,
Leon and Vipin.
Thank you. Great to be here. It's great to have you.
This is quite a big topic that we have today that we're going to dive into deeper and really
looking forward to our conversation today. I think it's important to start with the big picture.
Why are healthcare organizations increasingly becoming prime targets for cyber attacks
compared to any other industry? So let me start and maybe Leon will have a lot more specialist
input.
So see, the attackers go after where they can get maximum benefit, right? So that's the
standard thing. No one will go after places where they cannot get much from. And today's
currency is data.
(1:57 - 3:25)
And some of the most critical data is held by the healthcare organizations. It is not just data
that can be duplicated. This is data that is very personal and unduplicatable, if I can call it that.
That's not really a term, but you know, so personal health records, your parameters, any and
everything concerned with a human is something that is very personal to them. And it is
something that is, you know, something that you cannot duplicate again, etc. So availability of
such data allows attackers to actually sell such data on the internet.
And therefore, you know, everyone is all of them are after profits or after impact. So that profit
aspect is one thing, the data is one part of it. The second major thing here is that healthcare
organizations are often small.
And the way that in the US healthcare system, the hospitals, and even the CECO system that
surrounds them, their medtech players and peers, etc. Very often they are, you know, smaller
or medium sized enterprises and therefore, they have a certain budget constraints and focus
constraints about how they can protect themselves. So it is not always like a large bank, which
is able to better protect itself.
(3:26 - 4:07)
Therefore, you will have, you know, them trying to protect themselves using a limited budget,
but more so also, most of their focus is very correctly on patient care. So you will find that they
are more vulnerable, they have more openings. The third major aspect is that unlike a lot of
other industries, the healthcare industry very specifically has a large volume of, of course,
people, you know, whether it is people who are servicing the patients, or the patients
themselves, or the third parties which are providing services.
(4:07 - 10:04)
So there is a huge ecosystem. But more than that, if you look at just the systems that are
deployed to run healthcare, there is a tremendous variety of the systems and that is something
we are going to talk about today also. So all of this kind of leads healthcare to be one of the
prime targets for a lot of the bad actors out there.
And I am sure Leon will come up with a lot more, you know, specificity about how many attacks
have taken place about how many organizations have kind of, you know, been impacted. But
there is a large number of organizations that have been impacted. And this is only increasing,
the type of attacks, the impact of the attacks has only increased.
And the last point I wanted to cover is that healthcare is a very interconnected ecosystem,
unlike a lot of other ecosystems. So it is not as if an attack on a small player is going to remain
isolated. So very often, and this came up when the change healthcare thing happened, people
said, oh, payment system is not going to impact patient care, but it directly impacted patient
care.
And that is where people, a lot of people got a wake up call that attack, I mean, and that is a
very visible attack, that is why I took the name. There are lots of small attacks, which are equally
impactful. But here is where people realize that, you know, an indirect third party attack could
also greatly impact critical care for patients.
So I will just leave it at that. And maybe Leon can add more to it. Yeah, I agree.
I agree with Vipin very much. Just to add a couple of examples on the first point of the value.
One of the assets that I think makes healthcare the number one target is the EPHI, the
electronic patient health records.
And one of the issues with them is that they're not cancelable, right? So if a hacker steals a
credit card and you find out about it, you just call your bank and you cancel it. But if they steal
your social security number or any information about your medical record, that there's very
little you can do about it, right? And then when they go on the black market and they sell it,
then the value of the medical record is actually 10 times greater than the value of a credit card
because of those facts, which make it a lot more beneficial financially for attackers to continue
doing so. And also, as Vipin said, attackers tend to go where it's easy, as we say here, the lowest
hanging fruit, right? And unfortunately in healthcare, because the network is usually flat and
interconnected, it's quite easy for them to get in and laterally move throughout the network.
And also with the proliferation of ransomware attacks, we're seeing that over 50% of the
healthcare organizations actually pay the ransom because of the clinical implications, because a
lot of those devices, like an MRI machine, we had a customer that had a ransomware attack on
an MRI machine and they could not use the MRI machine. And every minute that the MRI
machine is not working, the hospital is losing thousands of dollars. So they will pay the ransom
to unlock, and we're seeing rates much higher than in other organizations.
So attackers, seeing they're being successful, so they continue doubling down on their efforts,
unfortunately. That's incredibly eye-opening. And just explaining it as you both have, it really
makes it clear as to why healthcare would be such a prime target.
Absolutely. I want to dig in a little bit more into something you were just talking about, Leon.
When we're talking about cybersecurity within hospitals and the devices, what kind of devices
are we referring to beyond MRI machines? What is connected and why does that matter? So I
think today almost everything is connected, especially when COVID happened, there was even a
further acceleration as hospitals need to give access to doctors that connect remotely and
nurses that connect remotely.
And this is the IOT advancement. So it's devices like IV pumps, patient monitors, hospital beds.
On the OT side, there's devices like elevators, smart robots that operate hospitals, even a Tesla.
We typically in our deployments, we see a Tesla that is connected to the hospital's network
because it's parked in the garage, connects to the network of the hospital, door locks,
thermostats. Everything today is smart and connected. And of course, this significantly expands
the attack surface because today, typically those devices are more weakened.
You typically cannot have endpoint security installed on them. For example, in a lot of the
clinical devices, the manufacturer very explicitly says that if you install any sort of antivirus or
EDR solution on those devices, they will revoke or void the warranty because it could interfere
with the clinical function potentially and they don't want to take any responsibility over it. So by
definition, you cannot protect them the same way you can protect more of a standard IT device,
like a desktop or a laptop.
(10:05 - 11:28)
Add to that, that a lot of those devices are running legacy and obsolete operating systems. For
example, if you buy an MRI machine, you pay maybe several millions of dollars. As a hospital,
you want to see the ROI, return of investment on this.
So you want to keep this device for multiple years and the update pace of those devices is very
limited in comparison to other devices because of the clinical setting and all the different
interactions and vendors are being very careful and very slow usually on updating those
devices. So you end up seeing devices still running Windows XP, Windows 95, Windows 3.11
that hospitals keep because they paid a lot of money and the devices work and security is not
always top of mind in comparison to the clinical value they can get out of the device. Yeah.
Can you share, dig a little bit deeper and maybe share some more real world examples of how
the vulnerability in one of these devices could really lead to some serious consequences? Yes.
So there are some examples of attacks that happened. I will not mention any specific hospital
names just out of respect to those organizations, but I will talk about things that were
published.
(11:29 - 12:58)
So there was an attack in Germany where a patient died, unfortunately. And it was an attack on
the, a ransomware attack on the operation rooms. And essentially all the devices, a big portion
of the devices in the operation rooms were impacted.
Those were the monitors, the patient monitors. It was the different imaging systems that they
had there. And essentially the operations room could not operate.
And there was a woman that she had to take an operation, right? Those things have a very
urgent, obviously, way of like, people need to take operations urgently sometimes. And once,
because the operation room was not working at that point, they had to divert her to a different
hospital, which was like 45 minutes away. And unfortunately she died on her way to the
hospital.
So some people think that a cyber attack, it needs to be like a Netflix scenario where somebody
hacks into a device and uses this device to cause harm. But in many cases, because in a
hospital, every minute counts. So even if you create service disruption and a delay in the
operation, it could cause fatalities.
(13:00 - 18:01)
So this is one example. And maybe another quick example I will mention, it's a research that
actually we did as a company based on tag robots. Those are medical robots that are being
used in the hospital.
Essentially they clean the linen, they deliver medications, and are becoming very, very common
recently, especially in the U.S., but also in Europe and in APEC. And we found that through
vulnerabilities on those robots, you can remotely connect to them, essentially take pictures of,
they have a camera, you can take pictures of the hospital remotely without being in the
hospital. You can jam those robots to use specific elevators, so you can block elevators, and you
can basically control them.
So you can move the robot to any patient in any room. So yeah, pretty, pretty scary stuff. But
unfortunately, that's the reality today with the connected ecosystem.
Correct. And just to put some numbers, Laurel, sorry, if I can just add to what Leon just said,
because people think that, you know, there will be a few devices here and there. And, you
know, from an impact standpoint, you know, what is our ability to get to these devices and kind
of compromise them so that you can launch further attack? If you take a, of course, he talked of
imaging systems, and these are the big systems.
And yes, there will be a lesser number of systems. There are lab and diagnostic equipments.
There is the whole HVAC thing.
If you remember this whole discussion about the, when we, if you take our minds back 10, 12
years back, it started with target being attacked through third party, through HVAC systems,
security systems. All of that is there. But just to give you an idea of the number of devices that
are there in a hospital bed today, a normal bed would have at least 15 to 20 devices and an ICU
bed is upwards of 30 devices and about at least 80 to 90% of these devices are network
connected.
So what it means is if you have a thousand bed hospital, please look at that multiplier. The
second thing is like Leon spoke about, most of these devices are, you know, if I can say custom
or old operating systems, and they are, you know, I will not say they are easily compromisable,
but they are more, you know, if I can say easy to compromise because they are very often
legacy. So the point what I am trying to make here is, it is not just, of course, we talked about
the impact and the human cost and the cost not just a disruption, you know, the inavailability,
you know, what Leon was talking about, but it is also the, from a point of view of, you know, the
attack surface.
What is the ease of reaching these devices? That also is actually exponentially increased.
Because like I said, you know, 30 odd devices per bed, thousand beds, that is the number of
devices you have. And they come from a plethora of different sources.
And therefore, there is the need to actually inventorize and the need to be able to see what is
the status that we have of vulnerabilities and risk today, and to be able to take appropriate
action to monitor and actually fix them. That is the thing I just wanted to make sure that we
really, you know, also touch upon while some one or two things become sensational. It is also
this whole opening up of the innards of the network through these.
See, in a typical enterprise today, you go to a financial enterprise, you go to even a healthcare
enterprise, most of the critical systems and data is all on the cloud, locked away, there are lots
of multiple layers of protection put in. But what is most easily reachable are the networks at the
floor. You have like Leon mentioned, you know, a Tesla driving up into the garage of a hospital
connects onto the network there.
So, they are the most easily reachable, they are very often totally flat. You have a lot of in and
out, I talked about so many different actors, you know, doctors coming in from outside, nurses,
patients coming in, visitors coming in. So, there is a lot of inflow and outflow, those networks
are very porous, and all these devices are without protection on a porous network.
And that is why we feel that the risk is very high from this one particular vector. I just wanted to
add a couple of these things. And it is very important that you did, I am glad you did, because
between those examples that Leon was giving and that additional information is really driving
home the importance of how, as you said, porous and how vulnerable healthcare organizations
are and how critical that is.
(18:02 - 20:27)
And Vipin, I'd like to follow up with you. Are there any cultural or organizational barriers that
make the managing of medical device risks much more difficult? Right, see, I will begin, I'll put
that in two parts. The first part is taking over from what I just talked about, which is to say that,
you know, when you ask Leon the question, how many attacks or what kind of attacks have
taken place and all that, invariably, the attacks that come out, you know, and become
sensational in the news are some of the larger ones that have involved a lot of money and all
that.
However, there are lots of attacks happening on regular basis, which we are not really aware
about, which we do not come into public consciousness. So, I am just saying there is a lot of
basis for attack there. And the reason I am talking about this from an organizational, if I can
say, culture and mindset perspective also, is that we often gravitate our attention to something
which is top of mind, which is sensational, which has kind of hit the headlines, if I can call it in
that way.
But very often, at an organizational level, attention is not paid to make sure that every nut and
bolt is actually locked down. So, one part of the, you know, I am not saying the problem, but
one part of the reason why we find that this is only now coming into prominence is because,
you know, there have not been that very large scale attacks because, you know, the attacks
have been quiet or small. And therefore, they very often go under the radar and therefore,
people feel that this is something that I can control.
And very often, like I talk from a risk perspective, very often, the here is the where the risk is the
highest. So, that is one thing. The second thing is, very correctly, most organizations, most
healthcare organizations, most providers, hospitals, labs, various people, they are focused on
their primary mission.
Primary mission being saving patients lives, providing care. And therefore, a lot of focus goes
towards a lot of specifically from a technology perspective, a transformation perspective,
infusion of new systems, AI, etc. The aim is to see how can I impact and improve patient care.
(20:28 - 22:48)
What we need to bring a culture more and more is to make sure that the, you know, we can do
it sustainably and in a manner which is secure. That is the second thing. The third thing from a
culture standpoint also is like I talked about most of these organizations are small.
And what that will mean is most people in the IT department, if I can call it that or the technical
support are typically multitasked. They may in some lot of cases not be specialists. They may
not have the deep background in cybersecurity that lot of people, you know, lot of the teams in
the larger organizations have.
So, very often, they may not fully appreciate and understand what is the state of art and what
are the requirements very specifically from a cybersecurity perspective. So, that creates an
environment where the right things, where the intentions are good, but very often the right
things do not end up getting done. That is kind of what I want to say.
And I will add from an organizational perspective. When we talk about medical devices, those
are not typically devices that IT teams are aware of. In hospitals, we typically see a
collaboration.
There is a team called Biomed or HTM, Healthcare Technology Management. They are usually
tasked with maintaining the devices, make sure they're up to date, break, fix. And in many
cases, they're also being told, okay, you're now responsible for the security of those devices
because IT is only doing the IT devices, right? Desktops, laptops.
But they've never done security. So, there needs to be a collaboration between those two teams
to effectively secure them, especially if you need to take any device-level actions like changing a
configuration, changing a password. Those are not managed devices by IT.
So, that creates a complexity, especially with a lot of those organizations typically report to
different departments. We're now seeing a trend that in some cases Biomed or HTM also
reports under IT, and that creates a stronger collaboration. But where it's not, those are very
disjointed teams.
(22:48 - 26:23)
And that, of course, creates a challenge to effectively protect the environment. And that is a
very important point that Leon just made about who in the organization looks after that. And
I'd just like to expand it one step further.
Since these devices are from a lot of different manufacturers, OEMs, in many cases, when I
discuss with the actual stakeholders on ground, they feel that the OEMs, and a lot of cases
there is, you know, these devices are being maintained by some of those OEMs directly also. So,
they feel that the security of these devices also would have been looked after or will be looked
after by them. And we talked about legacy earlier, we talked about, you know, various things.
So, very often these devices are not fully protected. Secondly, what Leon just brought about,
which is that they are also unprotected because the way they are positioned on a network. And
it is not just enough to protect at a device level, you need to make sure that they are being able
to be protected the way they are deployed.
And very often the actual solution lies in being able to segment networks, to make them less
flat, to isolate devices, things like that, which is to be done at the hospital level. And like he was
saying, right, there is an ownership gap between the OEM, of course, that is a separate part,
but even within the hospital, the IT and the non-IT, you know, the technical support, because
who owns the network is normally the IT, and the devices are owned by the others. And
therefore, this whole ecosystem doesn't work as effectively.
Both excellent points, really. And we've spent this time talking about the risks and the
implications from said risks. So, let's talk about some solutions.
Leon, what are some practical steps that healthcare leaders and staff can take to better protect
their systems and patients from these risks, especially, as you mentioned earlier, when we're
dealing with these legacy systems that can't be patched or easily updated because of those
manufacturer constraints? Yes. So, a couple of things. The first one is still a lot of organizations,
provider organizations, have this mindset that this is not necessarily my problem.
And they say, hey, those are devices by the manufacturers, and the manufacturers will need to
solve this, and they need to do a better job, which they do. But it's definitely a joint
responsibility. And if there is a cyber attack in the hospital, at the end of the day, the hospital is
responsible.
Responsible for the patients, responsible for their data, and for their safety. So, it is their
responsibility. The second thing is that there are solutions, dedicated solutions for medical and
IoT solutions.
We offer, we're one of the companies that is offering this type of a solution that is network-
based, that doesn't touch the devices. As you correctly mentioned, a lot of them, you cannot
touch them, you cannot patch them. And for clinical reasons and for legacy reasons, some
devices, even if you try and scan them, like there's a lot of vulnerability scanners, they can crash
completely just from doing a basic scan of the network.
(26:25 - 26:57)
So, providing a passive solution that can monitor all of those unique device protocols. For
example, we cover over 200 unique legacy device protocols, like HL7 and DICOM. The reason
this is important, because understanding those protocols really allow you to understand the
devices and understand their communications, their behavior, what they look like on the
network, and what is good versus anomalous in their communication.
(26:58 - 29:40)
And then, be able to do three things. The first one, and the biggest challenge I'm hearing from
CIOs and CISOs in hospitals, is they say we don't have visibility. I ask them the question, how
many devices do you have? And usually they say something like many, which is, of course, not
sufficient to protect this environment.
So, providing full visibility and discovering all the devices and making sure you have this
inventory or asset management of what you have is the first step. The second step is
understanding the vulnerabilities. As I think was mentioned by you Laurel in the beginning,
over 53% of the devices have at least one critical vulnerability.
So, it's very important to understand those vulnerabilities and correctly prioritize them to the
most critical ones, to patient safety, service availability, and data confidentiality. And more
importantly, once you have those vulnerabilities, take action, right? Just knowing about it
doesn't solve the problem. In terms of taking action, we found that the most popular action to
take is network segmentation, because again, you cannot touch the devices, the patch may not
be available.
And by doing network segmentation, essentially you're limiting the communication of the
device only to the must-have communication. So, all the rest not needed communication will be
blocked. And to do that, you need to understand the environment well, you need to understand
the ecosystem, who every single device needs to communicate with, in what way, at what time.
And there are solutions that are able to do that very effectively today. And this is why this focus
on healthcare and on medical and IoT devices is very important. The last piece of the solution is
around attack detection.
We mentioned that ransomware attacks is very, very common because they're so successful.
And because there's such a big number of vulnerabilities in a hospital, it's not practical in a
short period of time to just cover everything. So, there always will be a vulnerability.
So, you don't just need the proactive approach of taking care of the risk, you also need the
reactive approach of assuming you will be attacked and make sure you have the tools to see
the attack, detect it, respond to it and stop it before any damage is done. So, all those three
pillars are available today. And I think every single hospital, every single provider, organization
needs to have something like that to make sure that they are covered when such an attack will
happen.
(29:42 - 29:59)
And just to summarize what he just said, so therefore know what you're looking to protect. So,
have a method or a means of being able to identify, detect, classify and create a threat profile
for all the devices that you have, step one.
The Shaping Healthcare Podcast is handcrafted by our friends over at: fame.so
38 episodes
