An Apple A Day Won’t Keep Malware Away

Image of report and cell composition concept with modern medical technology

When researchers at Independent Security Evaluators published its 2016 report, Hacking Hospitals, the idea that vulnerabilities in medical devices could result in patient harm seemed like a serving of FUD (fear, uncertainty and doubt). Four years later, as we debate how and whether to return to life as we knew it before quarantine, there is irrefutable evidence that the health care sector is highly vulnerable to attack. 

From daily news stories to scholarly articles, security experts continue to warn of the cyber threats the health care sector is facing, yet they continue to rely on technology and connected devices without a full understanding of the cybersecurity risks or having the right intelligence to mitigate those risks.

Time for your checkup

In the recommendations section of the 2016 “Hacking Hospitals” report, the authors recognized,“Decision makers at health care facilities have little insight or control over the security practices of their vendors.” This fact remains true today. Without insight into whether any of the vendors in a health care organization’s complex supply chain have been compromised, it’s nearly impossible to understand all of the security risks in the IT infrastructure, third-party technology systems and connected medical devices they rely on. 

Yet, in response to the shelter-in-place orders instituted around the world after the World Health Organization declared the global pandemic, medical service providers have expanded their attack surface even further by offering telehealth visits, a move encouraged by the Department of Health and Human Services in March. 

What’s the diagnosis?

This week, the HHS’s Office of the Inspector General released a strategic plan to assess the security of this IT infrastructure. The plan calls for an audit of, “whether known cybersecurity vulnerabilities related to networked medical devices, telehealth platforms and other technologies being used in COVID-19 response have been mitigated.” What about the unknown vulnerabilities?

As the ISE authors wrote, a third-party security assessment, “by experienced professionals can lend to empowering the CIO and other executives if vendors are required to produce such evidence,” but an assessment alone is not enough. Not in 2020.

Benefit vs. Risk

Guidance from the FDA advises that practitioners need to decide whether the benefits of medical IoT devices outweigh the security risks. All the while experts continue to debate the best risk management course of action. “But these discussions often miss the problems replete in the expansive supply chains on which many of these products and services we depend on are built,” wrote Scott J. Shackelford, Michael Mattioli, Steve Myers and Austin Brady in a 2018 issue of the Minnesota Journal of Law, Science & Technology

The truth of their words again rang true in February 2020, when the FBI warned of the Kwampirs malware that was being used against health care companies as well as those in the energy and financial sectors. Evidence continues to reveal that medical devices are vulnerable. We also know that health care organizations are targets. Prevailion’s Q1 2020 Apex Report found that over 40 hospitals, many located in the US, showed evidence of compromise and the health care sector overall showed high concentrations of company compromise. Many of the health care industry’s security issues tie back to risks in the supply chain.

Give it to me straight, Doc!

Current supply chain vetting is flawed because companies have an incomplete picture of the partners they are entrusting. They may be able to verify what security measures the company has in place, but they won’t be able to see how well the company has performed under real world attacks. Without real evidence of compromise, they have no way of knowing a partner’s cybersecurity track record, current infections that they haven’t disclosed – or those infections that they haven’t yet detected. 

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.