Advice on patch management for resolving IoT vulnerabilities

Although healthcare organizations rely on network-connected devices for patient care and to improve healthcare, cybercriminals have made them a major entry point for attacks and remain unprepared for the scale of cyber threats.

We asked Tyler Reguly, senior manager of security research and development at Fortra, how healthcare IT can improve device management and get a handle on device security vulnerabilities in the Internet of Things, mobile device management practices, security frameworks, and his advice on using artificial intelligence tools for security and more.

Monitoring healthcare entrances

Evading endpoint detection, automated vulnerability intelligence gathering, and advanced social engineering are just some of the newer weapons accelerating the growth of cyber threats to healthcare organizations and their extended networks.

Beyond the limits of cyber resources, the challenge for healthcare IT teams is to keep pace with the growth of vulnerabilities that cybercriminals will explore as potential attack vectors to reach the system they want to disrupt or the protected health data they want to steal. especially with IoT devices.

To stay ahead of patching needs, organizations must implement a strong vulnerability management program to deny larger threat actors – such as nation states – the advantage, says Tyler Reguly, senior manager of security research and development at Fortra.

As medical device software quickly becomes outdated, security experts at the HIMSS24 Healthcare Cybersecurity Forum last month recommended patching this category of IoT devices during scheduled maintenance.

However, patching delays, regardless of the reasons, put healthcare organizations at risk of cybercriminals exploring these capabilities in search of potential vectors of compromise, making segmentation critical, Reguly said.

He also said that when it comes to healthcare, he is concerned about the interconnectivity of a complex array of devices – including mobile devices – and broad access to electronic health records.

“There are too many people walking around with tablets and phones that have access to a lot of health data,” said Reguly, who is also an IoT Hack Lab creator, in the following Q&A with Healthcare IT news.

Q. There are several frameworks that healthcare organizations can use to prepare for and prevent security misconfigurations and cybersecurity risks. What are the most important actions hospitals can take to address misconfigured security settings?

A. I find that the number of frameworks, benchmarks and policies for each sector can be overwhelming. Although these documents contain much valuable advice, there may be conflicting or confusing information. Hospitals need to focus on the basics.

There may be industry-specific standards to adhere to, but standards like the CIS Benchmarks are a good starting point. The CIS Benchmarks are simple and easy to follow. They’re also public and consensual, so you can see the process and even get involved.

At the end of the process, you may not be adhering to industry-specific standards, but you will know that you have a solid foundation and that the most risky misconfigurations have already been addressed. You can then stop and catch your breath before dealing with the more complex standards your organization needs to implement.

Q. Every year the number of network-connected devices for healthcare systems increases, and threat actors are constantly creating new weapons to attack them. What are your biggest concerns right now when it comes to IoT device security vulnerabilities?

A. I have two concerns when I think about the healthcare system and the interconnectedness of the systems involved. The first is related to the variety and complexity of the devices involved.

As more and more medical devices become networked, there is a lot of additional risk for lateral movement and additional methods to achieve network persistence. Much of this equipment is expensive, specialized and sometimes even limited in purchase. This means that there are not many laboratories where this equipment can be tested, and there are not many researchers examining this equipment.

It also means that larger threat actors, such as nation states, have an advantage here.

They can let their researchers find new vulnerabilities in this equipment and take advantage of the fact that, for example, there aren’t as many people looking at network-attached MRIs as there are people researching Windows vulnerabilities. This is where network segmentation is critical and large, flat networks can significantly increase risk.

My second concern is with electronic medical records.

There are too many people walking around with tablets and phones that have access to a lot of health data. If you do not ensure adequate security and protection of these devices, there is a chance of a huge amount of data leakage.

While this software may be easier to obtain than medical hardware, it is still not the easiest or cheapest software to put in the hands of researchers, which also gives well-funded threat actors the upper hand with these devices.

Tracking and locking down these devices is critical in healthcare environments. The thought of someone reading my blood work, then opening the app store and downloading a game to play really worries me.

Q. After a quieter first quarter, Microsoft CVEs are on the rise again. How do you see the coming months going and what advice can you offer organizations to keep on top of these patches?

A. Vulnerabilities in Microsoft always seem to come in waves, with peaks and valleys.

This month saw a spike in vulnerabilities as a number of applications had a large number of associated vulnerabilities. It’s hard to prepare for these things, but since Microsoft is kind enough to schedule their updates, organizations should keep their schedules organized.

If your security team hasn’t blocked out the second Tuesday of the month to review and prioritize updates, that’s a critical change you need to make.

In addition, strong asset management and asset inventory systems are critical.

During the April Patch Tuesday, there were over thirty CVEs that could be eliminated simply by knowing that there were no instances of Microsoft SQL Server deployed in your environment. These two techniques, combined with a strong vulnerability management program, will help an organization stay ahead of the patch crisis we face today.

Q. Healthcare providers are susceptible to man-in-the-middle attacks where cyber actors can misuse real-time conversations and other protected data. With the increase in remote work and WiFi network usage, how can providers that rely on mobile access and BYOD devices detect and eliminate MITM attacks that can lead to data breaches?

A. The level of protection is really up to the provider. I’ve been in situations where my entire device, even though it was BYOD, was managed by my employer and they had already implemented the management policies.

I also got a hardware VPN endpoint and had to connect my devices to it to connect to the internal network. These actions may be frowned upon by employees today, but they are actions that can be taken in a safe environment.

I think the important point is to operate from a position of zero trust.

Limit what your remote workers can access, limit what’s visible to externally connected users to only the data they need, and leverage multi-factor authentication everywhere.

I’ve mentioned it before, but network segmentation is really a crucial security control that can help in many situations.

Q. Artificial intelligence could allow society to automate tasks and improve performance. How can AI help organizations keep pace with constantly evolving vulnerabilities?

A. At this time, I don’t think individual organizations should rely on this technology internally.

While a fully staffed, well-funded security team has the capabilities to conduct internal research into the use of AI, these technologies are still in their infancy. Instead, organizations should continue to leverage cybersecurity vendors and experts to stay current. I suspect that these organizations are using AI in various ways to expand their capabilities, but for now you have to leave that to the various service providers.

As the technology continues to be streamlined and simplified in the future, there will be plenty of opportunities for organizations to put it into practice. For now, an occasional question to ChatGPT to provide clarity on a topic should be more than enough for most organizations’ staff.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.