Critical Condition: Legacy Medical Devices Remain Easy Targets for Ransomware

Healthcare is consistently one of the most attacked critical industries – it is a prime ransomware target. The reasons are clear: it offers a huge attack surface that is poorly secured in a sector that must prioritize continuous operation. It is, in short, easily compromised and most likely to pay.

The problem stems from healthcare’s need to ensure medical systems are operational at all times – patients’ lives may depend upon it. This requirement makes patching difficult, and that is exacerbated by the need for FDA validation of any cybersecurity-related changes made to medical devices. It can frequently take more than a year to implement a patch on legacy technology running operating systems that are no longer supported by their vendors.

Claroty’s Team82 researchers have analyzed and quantified the threat, using data from the firm’s own clients who use its xDome platform. “It includes hundreds of health systems, and thousands of hospitals,” says Claroty’s healthcare industry principal Ty Greenhalgh. “So, we have a data lake of all the devices and their attributes.”

More specifically, the firm was able to analyze the security state of more than 2.25 million IoMT devices and more than 647,000 OT devices across 351 healthcare organizations – and found that 99% of the organizations are vulnerable to publicly available exploits (that is, vulnerabilities included in CISA’s KEV list); and 20% of hospital information systems contain KEVs linked to ransomware and are insecurely connected to the internet.

Triaging this volume of threats is a daunting if not impossible task; but the Team82 researchers propose a specific route. This process combines three main threat indicators: the presence of a KEV vulnerability, a known use of that vulnerability by ransomware actors, and insecure connectivity for the device concerned. (For these purposes, the report describes ‘insecure connectivity’ as “devices that are directly connected to the internet or are accessible using a non-enterprise-grade remote access solution”.)

Taking a Venn approach to these indicators, the most important vulnerabilities can be located where all three intersect. So, for example, applying this approach to healthcare’s 647,679 OT devices, 11,693 contain KEV vulnerabilities, 3,004 contain KEVs linked to ransomware, and 4,731 have insecure connectivity – but only 1,763 contain all three. The process has highlighted the 1,763 OT devices out of a total of 647,679 OT devices; that is, just 0.3%.

These numbers are still daunting, but they apply to 351 organizations. Taking an unscientific approach, we could suggest that each organization is likely to have something like 1,845 OT devices (total divided by the number of organizations). Again unscientifically, if we apply the reduction to 0.3% of the total, this approach would highlight the 5 or 6 OT devices in a single organization that are most in need of special attention – and that is a much less daunting task.

If this same methodology is applied to the IoMT devices, the VENN approach reduces the total number of devices deserving extra attention to 22,500, or 1% of the total – which is then further reduced to around 65 per organization.

Advertisement. Scroll to continue reading.

These are far from accurate guesstimates, especially down to the per organization figures. KEV vulnerabilities are not guaranteed to include all known exploitable vulnerabilities; but it is the best source available. These are not the only vulnerabilities within devices, but KEVs linked to ransomware usage isolates the most serious threats – and then further linked to insecure connectivity indicates the most vulnerable devices to ransomware attack. It’s an interesting approach to first level triaging in the healthcare sector.

It is, however, only one step in a five-step process that Claroty recommends: scoping (critical processes), discovery (identify devices), prioritize (business impact and exploitability), validate (which exposures are real and reachable), and mobilization (actionable mitigations and remediations). The Venn triaging is step 3. Steps 1 and 2 are where you find the data for the triaging process, while steps 4 and 5 are what you should do with the results.

“Our goal in this report (PDF),” says Claroty, “was to shed light on the riskiest healthcare exposures and provide some context to help identify those assets most in jeopardy, and demonstrate the number of devices burdened not only by known and exploited vulnerabilities, but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet.”