Patch management advice for fixing IoT vulnerabilities

To improve healthcare cybersecurity, an organization can shore up Internet-enabled device misconfigurations by starting with CIS Benchmarks, before moving on to industry-specific standards, Fortra’s Tyler Reguly said.
By Andrea Fox
10:41 AM

Photo: sanjeri/Getty Images

While healthcare organizations depend on network-connected devices for patient care and to improve healthcare delivery, cybercriminals have made them important entry points for attacks, and they are still unprepared for the scope of cyber threats.

We asked Tyler Reguly, senior manager of security research and development at Fortra, how healthcare IT can improve device management and get a handle on Internet of Things device security vulnerabilities, mobile device management practices and security frameworks, and for his advice on leveraging artificial intelligence tools for security.

Guarding healthcare's entrances

Endpoint-detection evasion, automated vulnerability intelligence gathering and sophisticated social engineering are just a few of the newer weapons hastening the growth of cyber threats to healthcare organizations and their vast networks.

Beyond the limits of cyber resources, the readiness challenge for health IT teams lies in keeping pace with the growth of vulnerabilities cybercriminals will explore as potential attack vectors to get to the system they want to disrupt or the protected health data they want to steal, particularly with IoT devices.

To stay ahead of patching needs, organizations must implement a strong vulnerability management program to deny larger threat actors – like nation-states – the advantage, said Tyler Reguly, senior manager of security research and development at Fortra.

Because medical device software goes out of date quickly, security experts at the HIMSS24 Healthcare Cybersecurity Forum last month advised patching this category of IoT devices during scheduled maintenance. 

However, lag times in patching regardless of the reasons opens healthcare organizations up to the risk that cybercriminals may be exploring these avenues for possible vectors of compromise, making segmentation critical, according to Reguly.

He also said that, when it comes to healthcare, he is concerned about the interconnectivity of a complex array of devices – including mobile devices – and broad access to electronic health records.

“There are too many people walking around with tablets and phones that have access to a lot of health data,” Reguly, who is also an IoT Hack Lab creator, said in the following Q&A with Healthcare IT News

Q. There are several frameworks that healthcare organizations can use to prepare for and prevent security misconfigurations and cybersecurity risks. What are the most important actions hospitals can take to address improperly configured security settings?

A. I find that the number of frameworks, benchmarks and policies for any industry can be overwhelming. While there’s a lot of valuable advice within these documents, there can be conflicting or confusing information. Hospitals should focus on the basics. 

There may be industry-specific standards to adhere to, but standards like the CIS Benchmarks are a great starting point. The CIS Benchmarks are straightforward – easy to follow. They are also public, and built by consensus, so you can see the process, and even get involved. 

At the end of the process, you may not adhere to industry-specific standards, but you’ll know that you have a solid base and that the riskiest misconfigurations have already been addressed. You’ll then be able to stop and take a breath before you tackle the more complex standards that your organization is required to implement. 

Q. Each year, the number of network-connected devices gets larger for health systems, and threat actors are always devising new persistent weapons to attack them. What are your top concerns right now for IoT device-security vulnerabilities?

A. I have two concerns when I think about the healthcare system and the interconnectedness of the systems involved. The first is related to the variety and complexity of the devices involved. 

With more and more medical devices connected to the network, you have a lot of additional risk of lateral movement and additional methods of obtaining network persistence. A lot of this equipment is expensive, specialized, and sometimes even restricted when it comes to purchasing. This means that there aren’t a lot of labs for testing this equipment, and there aren’t a lot of researchers that are exploring this equipment. 

It also means that larger threat actors, like nation-states, have an advantage here. 

They can have their researchers find new vulnerabilities in this equipment and take advantage of the fact that there aren’t as many people looking at network-connected MRIs, for example, as there are people researching Windows vulnerabilities. This is where network segmentation is critical, and large, flat networks can greatly increase risk. 

My second concern is electronic health records. 

There are too many people walking around with tablets and phones that have access to a lot of health data. If you don’t ensure adequate security and protection of these devices, there is the potential for a huge amount of data leakage. 

While this software can be easier to obtain than medical hardware, it still isn’t the easiest and cheapest software to put in the hands of researchers, giving threat actors that are well funded the upper hand with these devices as well. 

Tracking these devices and locking them down is critical in healthcare environments. The thought of someone reading my blood work, and then opening up the app store and downloading a game to play concerns me greatly. 

Q. After a quieter first quarter, Microsoft CVEs are on the rise again. How do you see the months ahead playing out, and what advice can you offer organizations to keep up with these patches?

A. Microsoft vulnerabilities always seem to come in waves, with peaks and valleys. 

This month saw a spike in vulnerabilities due to a couple of applications having large numbers of associated vulnerabilities. It is difficult to prepare for these things, but since Microsoft is kind enough to schedule their updates, organizations should keep their calendars clear. 

If your security team doesn’t have the second Tuesday of the month blocked off to review the updates and prioritize them, that is a critical change to make. 

Additionally, strong asset management and asset inventory systems are key. 

The April Patch Tuesday saw more than 30 CVEs that could be eliminated simply by knowing that there were no instances of Microsoft SQL Server deployed in your environment. These two techniques, married with a strong vulnerability management program, will help an organization stay ahead of the patching crisis that we have these days. 

Q. Healthcare providers are susceptible to man-in-the-middle attacks, where cyber actors can exploit real-time conversations and other protected data. With the increase of remote work and use of WiFi networks, how can providers that rely on mobile access and BYOD devices detect and eliminate MITM attacks that could result in data breaches?

A. The level of protection is really up to the provider. I’ve been in situations where my entire device, even though it was BYOD, was controlled by my employer, and they deployed all the management policies. 

I’ve also been given a hardware VPN endpoint and had to plug my devices into that in order to connect to the internal network. These actions may be frowned upon today by employees, but they are actions that can be taken in a secure environment. 

I think the important point is to operate from a position of zero trust. 

Restrict what your remote employees have access to, limit what is exposed to externally connected users to only the data they require, and leverage multifactor authentication everywhere. 

I’ve mentioned it before, but network segmentation really is a critical security control that can help in many situations. 

Q. Artificial intelligence could allow society to automate tasks and improve performance. How can AI help organizations keep up with constantly evolving vulnerabilities?

A. At this point, I don’t think that individual organizations should be relying on this technology internally. 

While a fully staffed, well-funded security team may have the capabilities to investigate utilizing AI internally, these technologies are still in their infancy. Instead, organizations should continue to leverage vendors and experts in cybersecurity to stay up to date. I would suspect that those organizations are leveraging AI in various ways to extend their capabilities, but that should be left to your various service providers for now. 

In the future, once the technology is further streamlined and simplified, there will be plenty of opportunities for organizations to put it to use. For now, the occasional question to ChatGPT to provide clarity around a topic should be more than sufficient for staff at most organizations.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.