Threats against the clinical cyber environment come in many flavors. These threats range from automated malware and non-technical insiders to highly resourced cybercriminals and nation-state / Advanced Persistent Threat (APT) attackers. But even though the attackers and their motivations vary widely, all clinical threats take advantage of the same attack surface. Here’s what you need to know about the different threats facing the clinical vulnerability landscape:
Medical Device Design Flaws:
The FDA began issuing strict security guidance around the design of medical devices in 2014. This means a significant proportion of the devices in the modern clinical ecosystem were designed with little or no security discipline, including the common tactic of hard-coding administrative and system level credentials, the absence of firewall rules for common protocols, and the lack of system hardening.
Bad Authentication Practices:
Beyond the widespread use of default and/or hardcoded credentials, most medical devices have limited resilience within their authentication workflow. Devices often have a “break glass” functionality that allows access without full authentication, providing an additional attack surface if they are not built securely. Additionally, most devices can easily be brute-forced because common controls like account lockouts are not typically designed into the products.
Exploitation of Known Vulnerabilities:
Because most medical devices are built on COTS operating systems, like Linux and Windows, and use common open-source tools like the Apache web server, vulnerabilities in many common products can trickle down to medical devices. Vulnerabilities like Heartbleed, Shellshock, Bluekeep, and Zerologon have all affected numerous clinical devices. Because of the difficulty of patching those devices, vulnerabilities that are solved in other products often linger for significant periods of time in clinical technology.
Specific Medical Device Vulnerabilities:
Over the past decade, a community of researchers have dedicated themselves to discovering new vulnerabilities in medical devices. Vulnerabilities in widely used products have been published and spoken about at security conferences and written about in security trade journals. These vulnerabilities include:
- “Dark” Clinical Technology Vulnerabilities: Clinical technology vendors often issue patches and report on vulnerabilities in the products they are reported against. A vulnerability that affects one part of a vendors’ product line can often be found unpatched in other parts of their product line. Attackers who are focused on clinical technologies know to explore more widely for exploitable conditions.
- True Zero-Day Vulnerabilities: Because of the wide prevalence of known vulnerabilities, true zero-day vulnerabilities are not usually required to compromise modern clinical technologies.
Knowing the vulnerabilities at play in any clinical environment can help reduce the risk, and mitigate the cost, of your next attack.