Medical Sector and Cyber – Risks to Medical Sector
Legacy Medical Devices
A recent warning has come from the FBI warning the healthcare sector of the risks and threat of cyberattacks if legacy medical devices are used. A legacy medical device refers to any medical device that is missing numerous patches or is an outdated product. It is important to make sure that these devices are either updated with all missing patches or are replaced with more up to date gear to ensure a secure environment is created. These types of devices can pose serious threats not only to the hospitals or medical institutes they are in, but also to the safety of patients. Malicious actors can exploit devices such as:
- Insulin Pumps
- Cardiac Defibrillators
- Mobile Cardiac Telemetry
It has been reported that cybercriminals have been using the ransomware known as Ryuk to attack hospitals and have so far hit around 235 in the U.S. The FBI in their announcement did not specify that there were any new attacks that were affecting these types of devices but were rather bringing up that the medical industry has been plagued with legacy devices being exploited for years. Such attacks include the “Maui” ransomware attacks. Medjacking has also been an issue in the medical industry. Usually, medjacking is used to collect personally identifiable information (PII) or be used as a pivot point to reach other devices. This could potentially put medical devices that are more secure at risk.
Why Are Medical Devices Vulnerable?
Medical devices being vulnerable is not a new trend and has been a common occurrence. This primarily is due to the tech on which these devices have been developed with tending to be older. During development, security will not usually be considered for these devices. This is a thought process that needs to be amended as it is just presenting unnecessary risk to the medical industry. It was stated by the FBI that approximately fifty three percent of connected medical devices and other internet connected devices in hospitals contain known critical vulnerabilities. To help resolve this issue, steps should be put in place to have medical devices evaluated periodically and that cybersecurity requirements should be put in place for the purchase of any new medical device.
Industries Most at Risk – Third Party Security
What Industries are most at Risk
No matter how much effort is put into defending businesses and industries from cyber threats, the hard truth is that it is unrealistic for every industry to not be vulnerable to exploits. The pressure for functionality over security has been a dominant feature of product and service development. When asked about what types of threats specific industries face, an overwhelming amount of them agreed that third-party vulnerabilities were the leading cause of data breaches. A recent survey was conducted which aimed to get an understanding of how different industries were affected by third party vulnerabilities. One of the questions which presented quite worrisome statistics was “My Organisation doesn’t have anyone assigned to manage third-party risk”. The responses to this question revealed that:
- Forty two percent of the Education industry do not
- Fifty two percent of the Industrial and Manufacturing industry do not
- Fifty one percent of the Financial industry do not
- Forty nine percent of the public sector industry do not
- Forty six percent of the Healthcare industry do not
These statistics show that approximately fifty percent of all industries do not have appropriate measures in place to manage their third-party risks. This can lead to issues later down the road if an incident were to occur with a third party as they will not be able to track as easily what the main cause was.
Another worrisome set of statistics was for the question “Does your organisation have a comprehensive inventory of third parties’ access to its network?” – again nearly 50% of all industries do not hold an inventory on who has access to their systems. This level of unmanaged risk can have major consequences on a business’s ability to generate effective defences against cyber-attack. This again is quite worrisome as it shows that organisations are most likely not taking care when it comes to handling permissions for third parties and could be issuing them with too much privilege without knowing. If the third-party was compromised in this example, then malicious actors would also now have the same level of access as the third-party does unnecessarily.
Advice and guidance on how to implement better controls in these areas has been around for a long time. It is worrisome that such advice is still not gaining traction within many companies and even less so with their key third party suppliers.