Health network security is slowly improving

Healthcare delivery organizations (HDOs) have been busy strengthening the security of their network and systems over the past year, although more needs to be done, according to Forescout researchers.

That’s the good news: the percentage of devices running unsupported Windows operating systems has dropped from 71% in 2019 to 32% in 2020, and there have been improvements in timely patching and network segmentation.

The bad news? Some network segmentation issues still arise and HDOs still use insecure protocols for medical and non-medical network communications, as well as for external communications.

The results

Based on two data sources – an analysis of network traffic from five major hospitals and clinics and the Forescout Device Cloud (containing data for some 3.3 million devices in hundreds of healthcare networks) – the researchers found that between April 2019 and April 2020:

  • The percentage of devices running Windows operating system versions that will be supported for more than a year increased from 29% to 68% and the percentage of devices running Windows operating system versions that will be supported charging through ESU decreased from 71% to 32%. Unfortunately, the percentage of devices running Windows operating systems such as Windows XP and Windows Server 2003 has remained constant (albeit low)
  • There has been a marked increase in network segmentation

health network security

Unfortunately, most network segments (VLANs) still have a mix of healthcare and IT devices or healthcare, personal and OT devices, or mix sensitive and vulnerable devices.

Regarding communication protocols, they found that:

  • 4 out of 5 HDOs communicated between public and private IP addresses using a medical protocol, HL7, which carries medical information in plain text
  • 2 of the 5 HDOs enabled medical devices to communicate via computer protocols with external servers accessible from outside the HDO perimeter
  • All HDOs were using outdated versions of communication protocols, internally and externally (e.g. SSLv3, TLSv1.0 and TLSv1.1, SNMP v1 and 2, NTP v1 and 2, Telnet)
  • Many medical and proprietary protocols used by medical equipment lack encryption and authentication, or do not enforce their use (eg, HL7, DICOM, POCT01, LIS02). Used OT and IoT devices also have a similar problem

This is quite a problem, because attacks exploiting these security holes could do a lot of damage, including stealing patient information, altering it, disrupting the normal behavior of medical devices, disrupting the normal functioning of the entire organization (e.g. via ransomware attack), etc.

Defense Strategies for Better Health Network Security

The researchers advised cyber defenders of HDOs to:

  • Find a way to “see” all devices on the network, whether they are compliant with company policies, and detect any malicious network behavior they may be exhibiting
  • Identify and fix weak and default passwords
  • Map the network flow of existing communications to help identify unintended external communications, prevent medical data from being publicly exposed, and detect the use of insecure protocols
  • Improve device segmentation (e.g. isolate fragile legacy apps and operating systems, segment device groups based on purpose, etc.)

“Where possible, switch to using encrypted versions of protocols and eliminate the use of insecure plain-text protocols such as Telnet. Where this is not possible, use segmentation for zoning and risk mitigation,” they noted.

They also warned of the danger of over-segmentation.

“Segmentation requires well-defined trust zones based on device identity, risk profiles, and compliance requirements for it to be effective in reducing the attack surface and minimizing the radius of attack. breath. Over-segmentation with ill-defined areas simply increases complexity without tangible security benefits,” they concluded.

Kevin M. Risinger