Medical devices, physical access operations and networking equipment are among the most risky when it comes to risks posed to businesses.
Using analysis of metrics and data from the Forescout Device Cloud, the company identified points of risk inherent to device type, industry sector and cybersecurity policies. It determined that the riskiest device groups include smart buildings, medical devices, networking equipment and VoIP phones.
The data, which was correlated from around 11 million devices, determined the risk posed by connected medical devices because of their potential impact, both in terms of business continuity and their potential to harm patients. Forescout said that alongside a reliance on new technologies and increased connectivity, it was witnessing an increase in the number and sophistication of vulnerabilities in medical devices and cyber-attacks on hospitals, although these rarely target medical devices directly.
Speaking to Infosecurity, Forescout research manager Daniel Dos Santos said this is the first time the company had undertaken such research at this scale, where there is a lot of available and powerful data. Looking at the details on medical and healthcare devices, Dos Santos said there are many types of devices, and some are directly connected and some are on the diagnosis side, and they have an impact in different ways. “It doesn’t matter about the vulnerability as the easiest action is to crash the infusion pump, but whether the vulnerability is critical enough to be able to execute the attacker’s demands,” he said.
This also impacted the medical supply chain, where Dos Santos said devices are connected to workstations and ultimately to patient databases and prescriptions. “They should not talk to one another and networks should be isolated and segmented so the laptop doesn’t talk to the infusion pump,” he explained.
Forescout added, according to its data sample, physical access control solutions were the most risky due to the presence of many critical open ports, connectivity with devices and the presence of known vulnerabilities. In particular, Dos Santos named badge readers as being a surprise, as research showed that a badge reader could be reprogramed to allow anyone to enter a building “and it is not the worst thing for an office, but think about airports, hospitals or government buildings, critical buildings.”
Dos Santos said he expected improvements on this type of data year-on-year, especially as awareness of the issue is growing, and with more improvements in segmentation. “We see signs of improvements and companies are more aware and know what to do and can mitigate risk,” he said.