Content area
Full Text
Freeman Health System has around 8,000 connected medical devices in its 30 facilities in Missouri, Oklahoma, and Kansas. Many of these devices have the potential to turn deadly at any moment. "That’s the doomsday scenario that everyone is afraid of," says Skip Rollins, the hospital chain's CIO and CISO.
Rollins would love to be able to scan the devices for vulnerabilities and install security software on them to ensure that they aren't being hacked. But he can't.
"The vendors in this space are very uncooperative," he says. "They all have proprietary operating systems and proprietary tools. We can't scan these devices. We can't put security software on these devices. We can't see anything they're doing. And the vendors intentionally deliver them that way."
The vendors claim that their systems are unhackable, he says. "And we say, ‘Let's put that in the contract.’ And they won't."
That's probably because the devices could be rife with vulnerabilities. According to a report released earlier this year by healthcare cybersecurity firm Cynerio, 53% of medical devices have at least one critical vulnerability. For example, devices often come with default passwords and settings that attackers can easily find online, or are running old, unsupported versions of Windows.
And attackers aren't sleeping. According to Ponemon research released last fall, attacks on IoT or medical devices accounted for 21% of all healthcare breaches – the same percentage as phishing attacks.
Like other health care providers, Freeman Health Systems is trying to get device vendors to take security more seriously, but, so far, it hasn't been successful. "Our vendors won't work with us to solve the problem," Rollins says. "It's their proprietary business model."
As a result, there are devices sitting in areas accessible to the public, some with accessible USB ports, connected to networks, and with no way to directly address the security issues.
With budgets tight, hospitals can't threaten vendors that they'll get rid of their old devices and replace them with new ones, even if there are newer, more secure alternatives available. So, instead, Freeman Health uses network-based mitigation strategies and other workarounds to help reduce the risks.
"We monitor the traffic going in and out," says Rollins, using a traffic-monitoring tool from Ordr. Communications with suspicious locations can be...