The 4 Most Commonly Missed Endpoint Devices in Healthcare

“Endpoint” is a term that seems to have a variable definition in many of today’s organizations. Like the name itself suggests an endpoint is simply any connected device capable of processing, transmitting, or storing data packets. Despite this relatively simple definition, many organizations I have worked with are unable to produce a complete list of the total number of endpoints they have.

This issue is exacerbated by the nature of the modern hospital and how device ownership is divided. No more are the days when a digital device automatically became the purview of the IT department where they could uniformly apply security measure and patches. Today there are many times more devices attached to the network with significantly less control available to those trying to keep the data safe.

In the last few years, there have been some trends that have come to the surface regarding securing, and even knowing, the devices on the network. Some of the most commonly missed areas on the modern healthcare facility are printers, biomedical devices, internet of things, and the imaging suite. The below sections cover some of the common mistakes we see in regard to these classes of devices and the steps that can be taken to get a better handle on what is actually happening in your network.

Printers and Multi-Function Devices

Starting with printers seems most fitting because this is an issue that affects all enterprises, not just healthcare. Printers and multi-function devices (MFDs) have gotten exponentially more complex in their processing power and functionality, but security controls have not evolved. In fact, many organizations don’t even manage their own printers, let alone ensure they have been securely configured or are regularly updated.

The most important way for an organization to gain some control over these devices is to make sure the parties that are responsible are also accountable and that you have the power to check up on them. It is not enough to simply put language in an MDS contract that they must ensure devices are updated and secure. It is your responsibility to check the devices and make sure they have actually been securely configured and that patches are applied in a timely manner.

Internet of Things

The next class of devices are also found in increasingly larger numbers in all types of enterprises today but are showing up on healthcare networks even more. Internet of Things (IoT) is essentially any endpoint (remember any connected device is an endpoint) that has not been through FDA approval and likely does not process patient health information or other highly sensitive data. However, these devices are generally made a cheaply as possible and patches, secure configuration, and security controls are rarely up to date, let alone well-executed.

IoT is another area where the “traditional” IT departments have little to no control over the updates and patches, let alone properly and securely configuring them. As with any endpoint, it cannot be secured if you don’t first know it is there. Taking inventory of all connected device is the first step. Then, baseline secure configuration should be established and enforced, as well as regular scanning and vulnerability remediation.

Biomedical Devices

Biomedical devices (BioMed) are likely to only be found in a healthcare facility, but the differences between them and IoT are relatively small. These devices are rarely owned or even managed by IT departments and rarely are they securely configured, updated, or even inventoried in most of the hospitals we have worked with. Before a BioMed device can be sold to be used in a healthcare setting, the FDA does have to approve it. However, beyond checking for physical patient safety, the FDA only provides guidance and does not at the present time enforce updates after the initial approval.

As with other IoT devices, the first and most important step is to gather an accurate inventory of what is out there and which version of the firmware/OS they are running. However, there is one way that BioMed differs the most from other IoT devices. Biomedical devices are rarely owned by the facility hosting them, and even with a thorough inventory, there is often not much that in-house security or IT staff can do. Mostly this happens because these devices are leased or purchased on contracts that allow the manufacturers control over updates, patching, hardening, etc.

Imaging Suite

The imaging suite, as the part of a hospital that houses medical imaging devices such as MRIs and X-Ray machines, is the location of significant vulnerabilities in the modern healthcare facility. Much like IoT devices, they are rarely owned or managed by the IT or security departments and not likely to be owned by the hospital at all. Most of these devices cost millions of dollars and are expected to have a ten-plus year lifecycle. Because of the expense of these devices, it is even rarer that anyone except the manufacturer has any control over them.

Similar to how Biomed and IoT devices can be secured, the imaging suite can also benefit from a complete understanding of exactly what is connected to the network. These devices, being even more out of the hosting organization’s direct control, should be segmented onto a well-secured VLAN that cannot access sensitive systems or the internet.

Bringing it All Together

These devices are all endpoints and need attention as much, if not more than more traditional endpoints such as servers and laptops. Unknown devices are the most vulnerable, so the first and most critical step is to gather complete inventories in order to properly understand what exists and what needs to be addressed. Additionally, make sure that all vulnerable devices are on segmented and specially secured VLANs so their vulnerabilities will not be the cause of a breach while you work to remediate these issues.

June 20th, 2018|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).