Healthcare organizations use medical imaging equipment including X-rays, CT, MRI, and ultrasound to diagnose and treat patients. These machines contain sensitive patient information, which could make them ideal targets for malicious actors seeking to exfiltrate data. 

Malicious actors can target medical imaging equipment in many ways, including exploiting unpatched vulnerabilities. The longer a vulnerability remains unpatched, the more likely a threat actor can use it to target and compromise equipment. A hacked imaging machine could have serious implications for patient care, including misdiagnosis or exposure of sensitive patient data. 

Healthcare organizations should understand the cybersecurity risks of vulnerable imaging equipment and how to mitigate them effectively.

Medical Imaging Equipment Vulnerability Management Challenges

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about 11 new vulnerabilities impacting GE HealthCare ultrasound products, which ranged from 5.7 (medium) to 9.6 (critical) on the CVSS scoring system. The more serious vulnerabilities could allow a threat actor to install ransomware or access and manipulate patient data, but only if they had physical access to the machine’s embedded keyboard and trackpad. 

Existing mitigations and controls are sufficient to reduce the risk of compromise to acceptable levels for GE ultrasound products. However, to some degree, these vulnerabilities are emblematic of the problem where vendors fail to manufacture highly secure products. As a result, the burden of patching vulnerable equipment falls disproportionately on healthcare facilities. 

There are an average of 6.2 vulnerabilities per medical device, with recalls issued for critical devices and imaging equipment and more than 40 percent of those are at the end-of-life stage, offering little to no security patches or upgrades. Healthcare organizations often lack the resources to patch all their connected IoT equipment. According to Ponemon, over half of the healthcare organizations reported a lack of in-house cybersecurity expertise in 2023, a 53% increase from 2022. 

When healthcare organizations fail to implement cybersecurity protections, cyberattacks can occur. Most notably, the 2017 Wannacry ransomware attack impacted more than 60 National Health Service (NHS) facilities in the United Kingdom. Threat actors exploited a known vulnerability in Microsoft Windows’s Server Message Block (SMB) protocol implementation to execute the attack.

Vulnerability management is complex. Thousands of new vulnerabilities are discovered monthly, and in 2023, vulnerability exploitation nearly tripled as a means for attackers to gain initial access to a network. However, vulnerability scoring alone is insufficient as it fails to account for access controls and other mitigations, the context of how and where the medical imaging equipment is used, and how likely the vulnerability is to be exploited.

How to Safeguard Medical Imaging Equipment

A critical part of managing cybersecurity risk is layering protections together to build robust defenses for healthcare networks and connected medical imaging equipment. 

Access Controls

While connected medical equipment can be accessed remotely, many vulnerabilities require physical access to exploit. Healthcare facilities should limit access to imaging equipment to authorized personnel only. As a best practice, personnel with access to imaging equipment and other sensitive devices should use keycards or other physical access controls to enter the space where the machine is located.

To protect IoT medical equipment accessible from the network, healthcare organizations can layer other compensating security controls such as multi-factor authentication (MFA) and strong passwords. 

Inventory and Utilization

Utilization involves inventorying how often a machine is used for patient care or procedures to manage healthcare assets. Utilization monitoring is helpful for healthcare capital planning and for gaining insights into equipment location and usage. 

The Asimily IoMT Risk Management platform offers granular insight into utilization metrics and machine location. Monitoring equipment usage throughout the day allows healthcare personnel to determine when to perform maintenance that would otherwise be disruptive to patient care, like patching critical vulnerabilities. Utilization can also help healthcare organizations justify deviation from the original equipment manufacturer’s (OEM) recommended maintenance activities and intervals. Higher utilization often correlates with impact scores for a vulnerability, which can increase its remediation priority for well-attuned organizations.

Inventorying medical imaging equipment can also help organizations understand their attack surface, which is the totality of all possible entry points a malicious user can try to compromise to gain access to a network or information. With a comprehensive medical device and imaging equipment inventory, security and IT teams can collaborate more effectively, enabling them to share responsibilities when necessary.

Identify and Remediate Vulnerabilities

Healthcare organizations need to understand more than just whether or not a medical imaging machine contains vulnerabilities. Many connected medical machines can respond unpredictably to traditional active network scanners. With passive scanning, they can identify and prioritize the vulnerabilities that pose a direct risk to their unique environment and medical equipment ecosystem. 

Passive-first approaches to scanning can provide several valuable insights about the vulnerabilities that attackers are most likely to exploit, including:

• Exploitable vulnerabilities within the environment 
• Exploitable vulnerabilities for each specific device and medical imaging machine
• Provide guidance for patching based on exploitability
• Mitigation recommendations specific to the asset, such as applying security updates or using compensating controls for medical imaging equipment

Monitor for Anomalous Behavior

All imaging equipment on a network should only communicate with known IP addresses in well-understood ways. Early detection of anomalous behavior can enhance a security team’s ability to respond to an in-progress attack. For connected imaging equipment, this may include communicating with unknown IP addresses, sudden changes to configurations, or unapproved access to sensitive patient information.  For many – think infusion pumps in hospitals or occupancy sensors in hotel rooms – they work perfectly well with minimal data volume. A high volume of data traveling through one would be a telltale indicator of compromise (IoC).  However, that’s not the case for most imaging modalities, which need to send GB of data regularly for PACS (likely via DICOM). In fact, the person considered to have the world’s first 10Gb home internet service was a radiologist. 

When security teams receive high-fidelity alerts that cover the totality of a network, they can detect attacks faster and make better decisions, potentially mitigating the severity of a cyberattack.

Asimily: Securing Medical Imaging Equipment

Asimily is designed with connected medical imaging equipment in mind. Our risk scoring provides information on high-risk vulnerabilities. At the same time, our proprietary algorithm leverages vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide the most efficient actionable remediation steps to reduce risk and save time.

Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions. To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.