The impact of TCP/IP vulnerabilities in healthcare devices

Forescout Research Labs has published a new healthcare cybersecurity report, which discloses a number of serious TCP/IP vulnerabilities found in healthcare devices around the world. 

The company found and disclosed several critical vulnerabilities on TCP/IP stacks that affect hundreds of millions of IT, OT, IoT and IoMT devices: AMNESIA:33, NUMBER:JACK and NAME:WRECK. This research — collectively called Project Memoria — has the mission to uncover threats arising from this new class of vulnerabilities and to support the community in addressing them.

During this process, we discovered that healthcare organisations are at greater risk than other organisations due to the complexity of the networks, the range of devices used in Healthcare Delivery organisations (HDO’s) and breadth of manufacturer and type. The always-on use of many devices within a hospital or healthcare environment has led to an increased security exposure for many.

By analysing data from the Forescout Device Cloud, anonymised information from approximately 13 million devices from more than 1,800 global customers, and combining this with Project Memoria vulnerabilities found, we are releasing a new healthcare research report to draw attention to the underlying risks with the HDO’s network and urging them to act.

Key findings:

• 75% of healthcare organisations are affected by the TCP/IP vulnerabilities we have uncovered. These have on average per organisation, the highest number of vulnerable devices (almost 500), the highest diversity of vulnerable devices (8 device types) and the highest diversity of vulnerable vendors (12) on their networks.

• Healthcare organisations are roughly five times more affected by TCP/IP vulnerabilities than any other vertical. There are in total 79 vulnerable types of devices and 259 vulnerable vendors.

• The most common vulnerable device types in healthcare organisations are printers, VoIP, infusion pumps, networking equipment and building automation devices. The most common vulnerable medical device types are infusion pumps, patient monitors and point-of-care diagnostic systems.

• These and other vulnerable devices often share the same segments of an organisation’s network, which increases the potential likelihood and impact of cyberattacks.

• The combination of new vulnerable devices, difficult-to-patch vulnerabilities and lack of segmentation exposes healthcare networks to new threat scenarios that can have a big business impact.

These findings shed light on the difficulties of managing cybersecurity in the IoT world. In networks with high device diversity, security operators need to spend a considerable amount of time identifying and patching vulnerable devices. 

This is because (1) the tools able to identify IT devices might differ from those able to identify medical or IoT devices, and (2) different device types come different vendors and hence patches available on different timelines and applicable with different procedures. Since patches for TCP/IP stack vulnerabilities must trickle down the supply chain, several of those vendors either do not issue patches or take months to do so, which means the affected devices remain vulnerable for a long period of time.

The combination of new vulnerable devices, difficult to patch vulnerabilities and lack of network segmentation increases cyber risk, the potential likelihood and impact of cyberattacks. This exposes healthcare networks to new threat scenarios that can have large business impact:

• Increased exposure to attacks — since more devices and less monitored device types are now vulnerable, organisations are more susceptible than ever to cyberattacks that affect the confidentiality and availability of sensitive data. This comes at a time of rising costs associated to healthcare data breaches. These breaches cost an average of $7.13 million in 2020, which includes lost business because of customer turnover, damaged reputation or system downtime.

• Increased downtime of affected devices — ransomware can take big parts of an organisation offline, but it is now something that the industry has learned to deal with by following standard guidelines. Downtime caused by exploiting vulnerabilities in embedded devices can be much higher because it may affect different device types in a completely different way (e.g., network disconnection, intermittent downtime, persistent denial-of-service), is mostly unknown to cybersecurity personnel, and may demand specialised maintenance from the vendor or, in the worst case, equipment replacement. At a cost of thousands of dollars per scan, plus idle staff, plus delayed patient care, each hour that an MRI scanner is down can easily cost tens of thousands in lost revenue.

• Denial of healthcare delivery — previous attacks lead to reputational damage (due to data breaches) or a decrease in healthcare delivery capacity (due to ransomware), which translate into lost revenue. However, attacks targeting medical devices such as patient monitors and infusion pumps can completely stop an HDO’s ability to provide patient care and, in the worst case, harm patients.

These IoT security challenges and emerging threat scenarios mean that every organisation, especially in the healthcare sector, needs a proactive and holistic approach to cyber security that prioritises the following steps:

• Discover and inventory devices running the vulnerable stacks and assess their business risk. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks. The script is updated constantly with new signatures to follow the latest development of our research.

• Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.

• Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements.

• Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible 0-days affecting TCP/IP stacks. Anomalous and malformed traffic should be blocked, or at least alert its presence to network operators.