Water isn’t picky about how it gets into a basement, and malware is no choosier about how it finds its way into computer networks.

In the case of hospital networks, the easiest path can often start with Internet-connected devices, collectively known as the Internet of Things, that exhibit some of the same security vulnerabilities as consumer-grade IoT gear: wide-open default authentication settings, insufficient patches, and internal networks that assume all participants are trusted.

“It’s kind of an inevitability that going down this path of connectivity will lead to more security issues,” says Beau Woods, a cyber innovation fellow with the Atlantic Council who has consulted with the U.S. Food and Drug Administration and other government agencies. “As I say sometimes, malice is not a prerequisite for harm.”


Why health care cybersecurity is in ‘critical condition’
Triaging modern medicine’s cybersecurity issues
How to recover from a health care data breach
Ransomware attacks against hospitals: A timeline
To prevent EHR breaches, stop using them (Q&A)
Opinion: Who foots the bill for medical IoT security?

On the more alarming side of the health care security spectrum, vulnerable medical devices could ostensibly allow a hacker to fake patient data, which could lead to an inaccurate diagnosis or a dangerous prescription or procedure—a risk McAfee Labs’ Advanced Threat Research group demonstrated in an August study of 2004-vintage monitoring hardware still in use.

Vulnerable devices are much more likely, however, to serve as conduits in hospital network breaches, leading to infestations of ransomware or to data theft. And hamstrung hospital systems can have a huge impact on how doctors treat patients.

Exposed devices

Hospitals are like homes in one respect: If you look long enough, you can find IoT devices open to the public Internet and indexed on Shodan, a searchable database of Internet-connected devices well known among hackers and security researchers.

Although medical hardware is less prevalent than consumer devices on Shodan, it represents a more tempting target, said M. Carlton, head of research at the Portland, Ore.-based security firm Senrio, who has studied this issue.

“In a hospital setting, devices and servers are often clearly identified with their model number or department, which makes them easier to spot on Shodan and more of a target,” she wrote in an email her employer’s publicist forwarded to The Parallax.

Steve Povolny, head of advanced threat research at McAfee, says a leading security issue for connected devices, in the consumer and medical worlds, is manufacturers’ use of default log-in credentials that go unchanged, or in some cases can’t be changed. Insecure default device authorization settings, combined with unauthenticated or unencrypted connections to other devices, could lead to massive network security headaches.

“A lot of the times, it’s the devices we don’t think about,” Povolny says, adding that it’s helpful to think of (and treat) each network-connected device as “as a computer.”

Gaining control of a device that the rest of the network will talk to as a trusted peer vastly expands the damage possible, Povolny says: “All of these things just become a pivot point into the network, and once you’re in, you’re in.”

Network explorers

Once attackers gain “a toehold in the network, their next tasks are to explore the network and monetize their attack,” Senrio’s Carlton says. “Learning more about the hospital network will help them to find valuable data or information they can sell, and establish a persistent presence on the network.”

A hacked IoT device may also spread across its local network ransomware that has been coded to attack any computer, regardless of whether it contains medical data. That was the case with the WannaCry ransomware worm, which significantly hampered hospital operations across Europe.

In a hospital setting, devices and servers are often clearly identified with their model number or department, which makes them easier to spot on Shodan and more of a target.”—M. Carlton, head of research, Senrio

Woods says vulnerable building-control or HVAC systems could open doors to more dangerous attacks on hospital facilities. “Hospitals have special rooms where they put really contagious patients that have negative pressure,” he said, nodding to the use of differential air pressure to stop the spread of pathogens.

Is such a scenario likely to unfold anytime soon? Probably not—Woods notes that nation-state actors with the largest hacking competencies would be more reluctant to deploy such attacks, while more aggressive actors have fewer competencies. But the risk can’t be ignored.

“The impact of one attack against the president, or against a high-level political or sports figure, of course, would be potentially much more devastating,” Povolny says. “A human life can’t really be mitigated.”

Defenses and mitigations

It isn’t always obvious how to reduce the odds of such nightmare scenarios. Hospital administrators should, as Woods puts it, “get [their] stuff off Shodan” by closing external access to IoT devices.  

But the network segmentation approach, which helps an office or home network keep the most important systems inaccessible to lower-priority traffic, may not be viable for hospitals. Even if they don’t have legacy technology using hard-coded Internet Protocol addresses—which Woods says made one health care segmentation project an 18-month endeavor—there’s still a fundamental need for the swift transmission of information.

“Network segmentation in hospitals is difficult because data needs to flow between subnetworks and departments without obstruction,” Carlton says.

Or as Woods puts it, “Interoperability problems probably kill more people than security problems.”

Providing more transparency about the components and care of a networked medical device offers one way forward. In July, the Commerce Department’s National Telecommunications and Information Administration launched a software component transparency initiative to develop ways to define and share data about the code, open-source and proprietary, that goes into a commercial product.

Povolny points to his employer’s work to speed patch cycles. At McAfee, he says, “We’d really like to see faster patch cycles, faster adoption. We’d like to see vendors working more directly with security partners to engage them. We’d love to see more of an investment.”

For now, the health care system remains stuck with some particularly large and expensive legacy equipment, some worth millions of dollars. There will have to be a certain amount of muddling through—patching what can be patched, quarantining what can’t.

“This isn’t a problem that’s just going to disappear,” Carlton says, “because legacy devices will remain in the field for a long time to come. Hospitals can’t replace an MRI machine just because it has a bug in it.”