New research from Cynerio finds that healthcare organizations must adopt zero-trust architecture to better defend their networks, systems, and devices from an ongoing barrage of attack techniques. The architecture does away with the traditional security perimeter, assuming that every user and device on the network could potentially be malicious.
The zero trust architecture enables healthcare organizations to significantly reduce the risks of ransomware, outdated vendor firmware, and unsecured services by configuring policies that block unnecessary communications with healthcare IoT devices, according to a Cynerio blog post. It also helps to segment the network to contain attackers to a specific segment, hardening services running on connected medical and IoT devices to reduce their security impact, and quarantining infected devices to prevent a breach from spreading, it added.
The three most common threats affecting healthcare organizations are ransomware, outdated vendor firmware, and unsecured services, Cynerio said. Over the last year, researchers have studied hundreds of cybersecurity threats driving healthcare organizations to consider adopting a zero-trust approach.
“A ‘zero-trust’ model of security provides new tools to digitize operations while maintaining security,” Carmen Garibi, a director at 1898 & Co., wrote in a company blog post. “A unique, preventive approach to filling the gap in the security market is needed to allow industrial operators to effectively defend themselves against threats: by implementing zero-trust security to authenticate the user and device/system, even though someone may have already gained access to either of the (formerly) trusted networks,” she added.
The zero-trust authentication (ZTA) focuses less on the structure of a network, which may always be permeable, and more on individual resources or assets—access to each must be authenticated, a whitepaper released by not-for-profit organization MITRE said. ZTA-based asset authentication allows control asset access ‘vertically’ (between varying levels of an enterprise) and ‘horizontally’ (between varying assets and asset groups), thereby significantly reducing an enterprise’s attack surface it simplifies compliance, and enables more flexible business models.
ZTA provides for scalable, software-defined ‘precision access’ by authorized users to specific internal resources and platform and partner/ customer environments, using a cloud-based security infrastructure that mediates zero trust-based, specific access, MITRE added.
“Zero Trust is a security model that requires strict identity verification and moves the decision to authenticate and authorize closer to the resource,” wrote cybersecurity expert Anastasios Arampatzis in a post for Adacom. “The definition of Zero Trust indicates that its focus is on authentication, authorization, and minimizing implicit trust zones while maintaining availability and providing seamless authentication mechanisms,” he added.
Headquartered in New York, Cynerio empowers healthcare chief information security officers (CISOs) by providing them complete control over the security of their connected clinical engineering and IoT ecosystem, ensuring data protection, service continuity and patient safety.
Cynerio revealed that 96 percent of infusion pumps in healthcare facilities were affected by URGENT/11 or Ripple20 TCP/IP stack vulnerabilities. URGENT/11 vulnerabilities are found in IPnet, a network communications component that is no longer supported by its original developer. But, it is still incorporated into software applications, equipment, and systems used by a variety of healthcare IoT and industrial devices.
Ripple20 is a series of 19 critical vulnerabilities, with four more security weaknesses recently discovered in the Treck TCP/IP stack. In many devices, Treck is a low-level component and administrators may not be aware it is used on the device.
63 percent of infusion pumps, including the Baxter Sigma model, are vulnerable to Ripple20, and 33 percent of infusion pumps across Cynerio’s deployments, including the Alaris model, are vulnerable to URGENT/11 vulnerabilities, Cynerio revealed.
If unpatched, URGENT/11 or Ripple20 vulnerabilities can lead to the exposure and theft of electronically protected health information (ePHI), denial of service (DoS) attacks powerful enough to shut down clinical networks, and logic flaws that can interrupt normal device functionality. In other circumstances, adversaries can take remote control of medical and other IoT devices, disrupting clinical workflow and exfiltrating sensitive data from the device or connected systems.
With thousands of devices in an average hospital, it is infeasible for IT and security teams to manually test every device to discover open services, and traditional network scanning tools often cannot recognize these devices as medical devices. In some cases, scanning can interrupt their clinical operation.
However, unmanaged service vulnerabilities provide hackers with easy access to live video streams of hospital activity, jeopardize the safety of the hospital, and compromise patient privacy. They can also unintentionally expose large quantities of ePHI to unauthorized users and hackers, impact the operational and business continuity of affected departments, and expose ePHI in the form of photo and video images.
The National Institute of Standards and Technology (NIST) has also published the NIST SP 800-207, Zero Trust Architecture, which serves as a blueprint for zero-trust and “gives general deployment models and use cases where zero-trust could improve an enterprise’s overall information technology security posture.”
Rising digital transformation in the connected healthcare sector is unavoidable, despite the cybersecurity concerns. Pushed forward by the COVID-19 pandemic, the landscape has changed to include greater adoption of regulations, standards and guidelines in various countries and at a regional level, and protection of information systems and medical information. It also adheres to cybersecurity requirements for network-connected medical devices, critical infrastructure protection, and privacy protection.