You are here

Connected medical device

IoT devices are hard to patch: Here's why—and how to deal with security

public://pictures/xu_zou_ceo_zingbox.jpg
Xu Zou, Co-founder and CEO, ZingBox

The biggest and most obvious security challenge with Internet of Things (IoT) devices such as connected medical devices is the inability to easily upgrade or patch them. The typical advice for avoiding cyber attacks continues to be, “Install the latest patch.” 

This was heard often in the wake of the WannaCry ransomware and the NotPetya wiperware. But how would a clinical engineer go about figuring out the underlying firmware and the patch version of an infusion pump, the operating system of a thermostat to determine whether a patch is needed, where to get the patch, or whether patching is even permitted by the manufacturers or regulators?

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

Why are IoT devices a mismatch for patching?

Just as the underlying operating systems and firmware of these devices are difficult to update, they’re also not designed to run any third-party endpoint security solutions. There are two main reasons the antivirus software and other clients that we typically find in PCs are almost impossible to install on medical devices.

First, due to the regulatory constraints of the Food and Drug Administration, medical devices that have undergone FDA approvals need to follow very stringent and time-consuming processes for any change, especially the underlying software. Fortunately, the FDA has some recommendations on this issue.

Second, medical device manufacturers lack the expertise to support dynamic patches to their medical devices, unable to benefit from Microsoft’s Patch Tuesday. Due to these constraints, some rely on the security of the communications to and from connected medical devices as a safeguard against the latest wave of malware, ransomware and wiperware.

Many people may expect the transmission of data to or from medical devices to be encrypted. Unfortunately, our findings show that the majority of the data transmissions are, in fact, not encrypted. This may seem alarming, but it's not surprising given that the typical lifespan of these devices exceeds 10 years before being redesigned. 

Some people consider restricting communications of connected medical devices to external destinations as a solution to minimize the device risk. After all, connected medical devices should have no need to visit websites or download content. But many medical devices are configured to be managed remotely. Without additional context, healthcare organizations cannot simply block all ports or data transmissions of their connected medical devices without risking unexpected behavior or malfunction.

How to secure IoT devices

Based on these unique requirements and characteristics of connected medical devices, several steps can be taken to strengthen the security of connected medical devices.

The first and most critical step is to discover and inventory all IoT devices. Many organizations are surprised by the number of medical devices actually in their environment compared to the number reflected in their asset management solution. Once the devices are found, additional details, such as the type of device and the underlying operating system, must be identified.

These insights provide organizations with much-needed visibility into their IoT environment. Some organizations rely on manual room-by-room inspections to catalog all devices. Instead, organizations should look into using an automated method for discovering and cataloging IoT devices.

Second, since installing agents or clients on medical devices is not possible, network traffic must be analyzed to and from the device. By understanding the context of various medical device functions, you can formulate a baseline of what is considered normal behavior and continuously monitor for anomalous behavior.

While some analysis can be conducted manually, much of the deep machine learning used for such behavior analytics must be automated. Only then can you monitor device behaviors 24/7 and detect malicious activities without the installation of endpoints.

Any solution put in place must be able to function even when most IoT data transmissions are encrypted. You cannot afford to be left in the dark when and if IoT devices are configured to encrypt its traffic. Rather than relying solely on the ability to inspect network packets, your solution should focus on enforcing trusted behaviors in specific context.

For example, the transmission pattern for an X-ray machine under normal circumstances would be quite different from that of an IV pump. Even without access to the encrypted payload, modern IoT security solutions can characterize deviations from normal behaviors by analyzing other key data points. These include the size of the payload, frequency of transmission, destinations, and application data.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

There's time to get out front

The onslaught of recent malware is a sign of the floodgates opening for more attacks on IoT devices, including connected medical devices. The sooner we recognize the limitations of traditional IT security approaches for IoT devices, the faster we can employ the right security solution designed from the ground up specifically to secure IoT devices.

The interoperability of traditional IT security with modern IoT security should be the goal of all organizations. For now, however, recognizing the unique security challenges posed by IoT devices appears to be the biggest hurdle many organizations face. Consider what other impactful security measures you can take to secure your environment the next time you hear advice from vendors to patch your IoT devices.

Image source: Flickr

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]