A guest blog by ITHealth partner Lansweeper.
In a hospital environment, seconds can mean the difference between life and death. Increasingly, medical professionals in hospital environments rely on — and benefit from — networked medical devices that help them access and share patient information rapidly to reduce the time it takes to make life-saving decisions and deliver essential care.
But when those devices are running outdated software, they can become vulnerable to cybersecurity risks. Ransomware attacks, malware, and hackers can exploit medical device vulnerabilities to access and steal patient information for nefarious purposes, compromising the devices themselves and putting patients in danger. On top of all that, hospitals become liable for breaches and any impact those breaches may have on patients.
An example of the level of risk hospitals face when medical devices run outdated software is the Wannacry ransomware attack, which hit more than 300,000 machines in 150 countries in 2017. The cryptoworm targeted computers running Microsoft Windows, encrypting data, and demanding ransom payments via Bitcoin. Although Microsoft released patches before the cryptoworm spread, many organisations had not applied these updates or were running older, outdated Windows systems that were no longer supported by Microsoft. As a result, several U.K. hospitals had to suspend normal services and accept only emergency patients until the problem was corrected.
Outdated operating systems pose a serious threat
Unfortunately, in the Healthcare industry, medical devices are complicated to update or aren’t even manufactured to install software updates. And with Microsoft ending support for Windows 7 in January this year, many may now contain critical vulnerabilities for which there are no longer patches available.
“Healthcare organisations typically have complex and sprawling IT estates, often including legacy software and systems, which can make keeping track of the security and compliance of all assets a challenge.”
Andy Sheret, Head of Business Development at ITHealth
ITHealth specialises in providing healthcare organisations with proven and trusted IT security and access management solutions. “Although IT teams have processes in place to report on the state of their infrastructure and manage vulnerabilities, those processes are often overly complex, resource-reliant, and extremely time-consuming. To get an overall picture of the IT environment typically involves asking differing IT functions to pull multiple reports from disparate systems and then collating the information; it’s a piecemeal approach, which, due to its manual intervention, only leaves room for error and often results in contradictory information.”
New research from Palo Alto Networks confirms that today, 83% of medical imaging devices are running outdated operating systems, up 56% since 2018. Additional findings from the report are equally disconcerting:
- 51% of threats in the healthcare industry involve imaging devices. By infiltrating such devices, hackers can access any and all patient data stored on these devices or the server.
- A whopping 72% of healthcare VLANs implement a Bring Your Own Device (BYOD) culture but leave their networked medical devices outdated. This means they are vulnerable to malware, which can be spread from an employee’s computer or mobile device to the IT network, putting critical medical devices at risk.
- Almost 41% of malware attacks exploit medical device vulnerabilities. The IT-borne attacks scan network-connected devices and latch onto those with weaknesses.
While patient safety issues related to weak medical device security pose a tremendous threat, an additional threat is the possibility of hackers using those devices to launch a larger-scale attack on other portions of the organisation’s network.
The cost of such threats is potentially enormous. Since 2016, there have been 172 ransomware attacks on healthcare organisations in the U.S. alone, amounting to more than $157 million in losses and impacting 1,446 hospitals, clinics, and organisations — and over 6.6 million patient records.
Know your IT : An Asset Inventory Offers Critical Visibility
The first step toward ensuring all networked medical devices are protected is knowing what devices exist on the network and what software they’re running. In the UK, for example, this step is outlined in the guidance provided by NHS Digital, a national information and technology partner to the health and care system that offers guidance to health trusts for applying security measures.
The guidance reads: “A complete picture should be made that details the types of devices that need protecting, along with information such as what operating system they run and the ports/service they need to utilise.” NHS Digital goes on to say that having this information in an accessible format will simplify following the remaining steps to ensure there are no security gaps in the network.
One way to complete this step is by implementing an agentless network discovery solution, such as Lansweeper. This is a cost-effective way to rapidly create a complete inventory of all devices on the network, including Windows, Linux and Mac devices, printers, routers, and switches — and in the case of a hospital or other medical environment, any networked medical devices.
Lansweeper’s IT Inventory platform is used by IT services partners in various industries, enabling over 25,000 organizations worldwide to know their IT at all times. Lansweeper helps its customers minimise security risks, become compliant, and optimise their IT-spending by providing actionable insights into the state of their IT infrastructure.
For ITHealth, Lansweeper’s partner in the UK Healthcare Industry, the platform is a cornerstone of their service offering, empowering the ITHealth Assurance Dashboard to support 81% of all cyber-related compliance requirements within NHS Digital’s Data Security and Protection (DSP) Toolkit. “We recommend that our clients buy the ITHealth Assurance Dashboard, which is underpinned by Lansweeper because it makes risks easier to visualise, prioritise, remediate and report on,” said Sheret.
How Does it Work?
The Lansweeper technology rapidly gathers hardware and software information on all devices across the IT environment, enabling comprehensive management and providing the data needed for compliance and audit purposes. With access to a complete, up-to-date asset inventory, organisations can easily assess security threats and vulnerabilities and respond to security incidents. They can create custom vulnerability reports that can be used to identify where patches and updates are needed, update the software creating vulnerabilities or remove those devices from the network.
For NHS Trusts in the UK, ITHealth has already configured and tailored the Lansweeper Dashboard specifically for NHS use ensuring it shows all reports pertinent to NHS cybersecurity and compliance. ITHealth has also integrated key data feeds, such as the NHS Digital threat bulletin alerts (CareCERTs) which help to streamline a Trust’s response to national compliance.
According to Chris Booth, ITHealth’s Healthcare Account Manager, the ITHealth Assurance Dashboard powered by Lansweeper provides a single place to go for information and insights about the state of the network. “The Dashboard allows NHS customers to see at-a-glance which parts of their infrastructure are leaving them open to cyber-attacks and helps to better focus IT resources,” he said. “In short, it bridges the gaps between silos by providing a single, trusted, common view for the IT team, so that individual IT departments can monitor, manage and control the parts of the network for which they are responsible.”
With a single source of truth about the state of the network available, organisations save time and resources and benefit from streamlined compliance and reporting. “Our clients have been able to identify and remediate vulnerabilities, identify unauthorised software, resolve patching issues, and create and manage disabled devices,” said Booth. “They can provide timely and accurate compliance reporting, as well, to meet our national response requirements.”
Are you interested in learning more about how the ITHealth Assurance Dashboard and Lansweeper can help you gain visibility and control over all medical devices in your IT environment? Schedule a 1:1 demonstration of the ITHealth Dashboard Solution today, to identify at-risk devices and drive compliance.