Following a successful breach of Hillel Yaffe Medical Center in Hadera, Israel last October, Israel’s health sector experienced a 72% increase in targeted attacks in just one weekend. The growth of these attacks and associated costs are staggering - there was a 123% rise in attacks in the past year alone with an estimated $20.8 billion impact on the healthcare industry,
The Risks and Rewards of Healthcare IoT
The rapid adoption of IoT devices in healthcare environments has notably improved care. Patients have seen enormous improvements thanks to the data, insight, and timeliness that these devices bring to hospital care. Not surprisingly, this will likely lead to two-thirds of medical devices being internet-connected by 2050. As with many modern technologies, security was not a primary concern on these devices, which has led to over 20% of healthcare ransomware attacks rooted in connected devices.
Beyond the individual device security challenges, hospitals and their vendors have been equally challenged in securing their networks from the barrage of devices that seemingly showed up overnight. A reliance on simply finding and identifying these devices has all but ignored the growing security issues that traditional IT protections cannot handle. The number and types of Operating Systems have grown dramatically. The long-life cycles of medical devices coupled with an ever-forward focus of device manufacturers have made patching difficult and slow. Long gone are the days of Patch Tuesday when a monthly push from a major software vendor could address many issues at once. IoT revolutionized the care of patients while drastically complicating the protection of those same patients.
What the JekyllBot:5 Vulnerabilities Tell Us About Healthcare IoT Security
The Cynerio Research team discovered the collection of vulnerabilities that make up JekyllBot:5 on Aethon TUG smart autonomous robots late last year when deploying in a customer environment, and they provide a good real-life snapshot about the issues surrounding healthcare IoT security.
Aethon TUG autonomous robots are used to carry out simple healthcare errands at hundreds of hospitals. They transport medicine, clean floors, collect meal trays and linens and perform many other routine activities. Their self-directed efficiency has helped the robots to grow in popularity as a way of streamlining time-consuming manual tasks and freeing up staff for more productive duties.
The TUG robots were also able to be fully hijacked by Cynerio researchers. Among the attacks that could have occurred had the robots not been patched were:
- Disrupting the timely delivery of patient medications and lab samples
- Interfering with critical care and operations by obstructing and disabling facilities including elevators and door lock systems
- Monitoring and photographing patients, staff, hospital facilities and medical records
- Accessing restricted areas
- Physically crashing into staff, visitors, and equipment
- Hijacking user sessions and injecting malware to advance cyberattacks on facilities
JekyllBot:5 may be unique to the Aethon TUG robots, but the threats are not. Recent disclosures and research have shown that millions of medical devices created by hundreds of manufacturers have a wide range of critical issues that may impact patient care. Furthermore, JekyllBot:5 is the first set of vulnerabilities that bridge the gap from theoretical cyberattacks to proven cyber-physical attacks, a jump that makes the threat of impacted patient care that much more real.
To put it bluntly, cybersecurity has failed healthcare. The industry promised security in exchange for services, but the growing number of attacks, despite all the solutions already deployed to stop those attacks, is an indictment of our industry and a record of our broken promises that are too noticeable to ignore. We need to do better, and the first step is admitting that what has been done up until now hasn’t worked. Now, we must initiate something that will work. When it comes to healthcare IoT security, it is time to start looking beyond commoditized inventory and start addressing risk.
At a bare minimum, healthcare IoT security needs to provide the following protection measures to armour devices against the threats targeting them:
- The location and flagging of every device with known JekyllBot:5 risks and vulnerabilities
- Step-by-step instructional mitigation plans should be provided for every device affected by a vulnerability, including access to advisories and patches from device manufacturers and “virtual patching” options for end-of-life or otherwise unpatchable devices.
- Clear and actionable guidance on how any hospital, regardless of size, staff, or resources, can implement a Zero Trust security framework that limits attack surfaces and silos healthcare IoT devices from the rest of the network.
The societal context of these attacks is even worse than the financial impact. Amidst an ongoing pandemic, cybercriminals have further stretched both medical and healthcare IT workers’ resources and energy to their limits. The problems previously confronting the industry have only been exacerbated by the pandemic: a shortage of available workers with the necessary knowledge to carry out their important work, widespread burnout, and a continuous barrage of sick patients and cyberattacks– none of which show any sign of slowing down anytime soon.
The unfortunate truth is that healthcare is a target-rich environment with access to highly sought-after patient data. Lucrative Personal Health Information (PHI) records often receive $250 or more per record on the black market, nearly 50 times the amount that stolen credit cards get, due to unchangeable data that eases the process of committing identity fraud. The result? Hospitals are more targeted for cyber-attacks than any other industry, with recovery from breaches typically taking 287 days and $8 million to recover from.
It’s entirely likely that the cyberattacks on healthcare systems will get better before they get worse. JekyllBot:5 was not the first disclosure impacting a wide range of medical devices, nor will it be the last. With the right focus, commitment, and resources we can protect our patients and hospitals from the attackers who callously target them for profit.
Written by Daniel Brodie, CTO & Co-Founder of Cynerio